The HotelRunner Booking Widget plugin for WordPress contains a Cross‑Site Request Forgery (CSRF) flaw that allows an attacker to craft a request that causes the plugin to store malicious data. When an authenticated user loads a page that renders the widget, the stored payload is executed in the visitor’s browser, creating a stored cross‑site scripting (XSS) vulnerability. This flaw arises because the plugin does not validate request integrity or enforce CSRF protections (CWE‑352).

This issue affects the integrationshotelrunner HotelRunner Booking Widget plugin for WordPress, versions from any prior release up through 1.6. The plugin is used on sites that embed the booking widget, allowing attackers to exploit the flaw on those installations.

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the vulnerability is not listed in CISA KEV, indicating no known large‑scale exploitation. Likely attack vector involves a malicious link or email that forces the authenticated user’s browser to make a request to the plugin’s endpoint, resulting in execution of stored malicious code in the context of the site. An attacker can use the stored XSS to steal session tokens, deface the site, or redirect users.