The vulnerability in Webba Booking exposes a stored cross‑site scripting flaw, where malicious input can be saved and later rendered in generated web pages. An attacker can inject JavaScript that executes in the context of any viewer of the affected content, potentially compromising user sessions, stealing credentials, or defacing the site. This weakness is categorized as CWE‑79.

The flaw affects the WordPress Webba Appointment Booking plugin named Webba Booking. All versions from the earliest available release up to and including 6.0.5 are affected. The affected product is the webba-booking-lite plugin used within WordPress installations.

The CVSS score of 5.9 indicates moderate severity, while the EPSS value of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to inject malicious payloads into booking or appointment fields that are persisted by the plugin; the stored data is then rendered in pages viewed by other users. The attack likely requires the ability to create or modify appointment records, which may be available to any authenticated user or even anonymous users, depending on the plugin configuration. Given the moderate CVSS and low EPSS, the risk is present but exploitation would probably be opportunistic rather than widespread.