Improper neutralization of input during web page generation in the vcita Online Booking & Scheduling Calendar for WordPress plugin allows attackers to store malicious script code in the plugin’s data. When a page containing that data is rendered, the script executes in the browsers of all site visitors. The resulting stored cross‑site scripting can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. This flaw is classified as CWE‑79.

Any installation of the vcita Online Booking & Scheduling Calendar for WordPress plugin that is version 4.5.3 or earlier is affected. The vulnerability applies globally to the plugin's booking and scheduling features, meaning that every instance of the plugin on a WordPress site is vulnerable until the plugin is upgraded beyond 4.5.3. No specific environment constraints were listed, so ordinary WordPress deployments remain at risk.

The CVSS base score of 6.5 indicates moderate overall risk. The EPSS score is below 1 %, meaning that industry data predict a very low probability of exploitation at present, and the vulnerability is not cataloged in the CISA KEV. Based on the description, the likely attack vector is an authenticated administrator or an attacker who can submit data through the plugin’s booking interface. By inserting a malicious payload into a stored field that is later rendered without proper escaping, an attacker can trigger a stored XSS on any user that views the affected page. Consequently, the potential impact includes theft of user sessions and the ability to hijack or redirect site traffic.