The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
The exploit requires at least a contributor role.
1. Create and connect a GloriaFood account, and add a Restaurant.
2. Find the RUID on the GloriaFood Settings page.
3. Insert the following shortcode in a post/page by changing the RUID accordingly:
[restaurant-reservations ruid='87cdb0a5-54ad-4296-a7d9-cd37fd217f68' class='" onmouseover="alert(1)"']