VikAppointments Services Booking Calendar is vulnerable to improper input neutralization that allows malicious code to be stored and executed within the browser context of any user who accesses the affected booking interface. The flaw is a classic stored cross‑site scripting issue (CWE‑79) that can be used to hijack user sessions, deface content, or exfiltrate data. The affected plugin versions have a base score of 7.1, indicating moderate severity with potential high impact if exploited.

The vulnerability exists in the VikAppointments Services Booking Calendar WordPress plugin for all releases up to and including 1.2.16. Any WordPress installation that has installed this plugin within that version range is potentially affected. The vendor, e4jvikwp, does not list a product beyond 1.2.16 as affected, so newer plugin releases are presumed secure.

The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalogue, so the likelihood of a known exploit is currently low. However, the CVSS score of 7.1 combined with the stored XSS nature means an attacker who can submit malicious input through the booking form can inject code that remains persistent for all future visitors. Since the flaw requires an input vector that is represented on the web interface, the attack path is typically through an authenticated or publicly accessible booking form where the input is not properly encoded before storage.