The vulnerability is a classic Stored Cross‑Site Scripting flaw caused by improper neutralization of input during web page generation in the xtreeme Planyo online reservation system. Malicious data placed into the system’s storage is later rendered in a web response without adequate escaping, so an attacker can inject JavaScript that runs in the browser of anyone who views the affected page. This can lead to session hijacking, theft of credentials, defacement, and lateral movement within the site. The weakness falls under CWE‑79 – Improper Neutralization of Input During Web Page Generation.

The flaw affects the WordPress plugin "Planyo online reservation system" developed by xtreeme. All releases from the initial version through 3.1 inclusive are impacted. Sites running the plugin with any of these versions are vulnerable, regardless of other WordPress components.

The CVSS base score of 6.5 indicates a moderate level of risk, while the EPSS score of less than 1 % suggests a low probability of exploitation in the short term. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires the attacker to inject payload into a data field that is later rendered on a page, it is likely to be exploited by users with permission to add or edit reservation content, or via social engineering to trick an authorized user into submitting malicious input. If exploited, the impact can be significant due to the potential for persistent script execution across sessions.