The vulnerability is a stored cross‑site scripting flaw rooted in improper neutralization of user input during page generation within the Booking Calendar Contact Form plugin. Attackers can inject malicious script code into form fields that are later rendered unescaped to other site visitors. If an attacker succeeds, the script executes within the victim’s browser with the same privileges as the user, enabling payload execution such as session hijacking, cookie theft, or defacement. The weakness falls under CWE‑79 and compromises the confidentiality and integrity of the affected website.

This issue affects WordPress sites running the codepeople Booking Calendar Contact Form plugin, version 1.2.55 and earlier. The plugin is available through the WordPress plugin repository and is commonly used for booking and contact form functionalities. No granular sub‑version information is supplied beyond the <=1.2.55 ceiling.

The published CVSS score of 5.9 indicates a moderate severity for this stored XSS. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires an attacker to craft a payload via the plugin’s form interface; the payload is stored until displayed to other authenticated or unauthenticated users. Attackers could abuse this path to steal credentials or inject malicious content once they control the data to be stored.