Thanks for the report @pandaaaa. * The Blind XSS fired when the order details were viewed by the admin at the back-end, The script was injected through an API endpoint from the Zomato app on one of the parameters which was recently introduced to provide special instructions to the restaurant on how to prepare the food.
I used XSS Hunter to do this and the payload used was -
I wasn't really testing when i found this bug. My mom was late and tired from the office and she asked me to order food and then i decided to try this. :P Thanks Mom! <3