CVE-2024-9240: 
WordPress vulnerability analysis and mitigation

The ReDi Restaurant Reservation plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-9240) discovered in October 2024. The vulnerability affects all versions up to and including 24.0902. The issue stems from improper use of the add_query_arg function without appropriate URL escaping (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 Base Score of 6.1 (MEDIUM). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R) with changed scope (S:C). The impact affects both confidentiality and integrity at a low level (C:L/I:L) with no impact on availability (A:N) (NVD, Wordfence).

When successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This can lead to potential compromise of user data and session information (NVD).

Users should update their ReDi Restaurant Reservation plugin to a version newer than 24.0902, which contains the security fix. The vulnerability has been addressed in the WordPress plugin repository (WordPress Plugin).