An improper neutralization of user input in the WordPress Booking and Rental Manager plugin allows attackers to inject arbitrary JavaScript that is reflected back in web pages. This reflected XSS flaw (CWE-79) may result in client‑side script execution when users access a page that displays unsanitized input. The vulnerability manifests only when the attacker controls the input that is echoed back to the browser, such as a specially crafted URL or form field value. The likely attack vector is an attacker‑supplied query parameter or form data.

The flaw exists in the MagepeopleTeam Booking and Rental Manager plugin for WooCommerce, affecting all releases from the initial version through version 2.5.3 inclusive. Users running any of these versions on their WordPress installations are potentially susceptible.

The vendor has scored the issue a 7.1 CVSS, indicating moderate to high severity. The EPSS value is reported below 1 %, suggesting that exploitation is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to entice users into visiting a crafted URL or submitting a malicious input on the site, after which the reflected script would execute in the victim’s browser. Prevalence is limited to sites that have not upgraded beyond version 2.5.3 and lack additional input validation or content‑security controls.