An easy-to-exploit bug allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information. The vulnerability (CVE-2021-24299) is a persistent cross-site scripting (XSS) bug. A public proof-of-concept disclosure of the ReDi bug was released Sunday with the official public disclosure delayed a month due to the severity of the vulnerability, according to the researcher. The bug affects versions prior to 21.0307, with a patched (v. 21.0426) version of the plugin available for download.
Source: https://threatpost.com/reservation-system-easy-to-exploit-xss-bug/166414/