Restaurant Menu < 2.3.6 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PoC

The exploit requires at least a contributor role. 1. Create and connect a GloriaFood account, and add a Restaurant. 2. Find the RUID on the GloriaFood Settings page. 3. Insert the following shortcode in a post/page by changing the RUID accordingly: [restaurant-reservations ruid=‘87cdb0a5-54ad-4296-a7d9-cd37fd217f68’ class=‘" onmouseover=“alert(1)”’]