The vulnerability is a stored Cross‑Site Scripting flaw (CWE‑79) that allows an attacker to insert malicious scripts into the booking‑manager plugin’s data storage. Once stored, the scripts are executed in the browser of any user who views the relevant booking information, enabling session hijacking, cookie theft, defacement, or the deployment of further malware. The flaw resides in how input is handled during page generation, making it possible to compromise the confidentiality and integrity of user sessions without requiring elevated privileges. Its impact is limited to the web interface, but the consequences for end users can be serious if they interact with the affected content.

WordPress sites that have the Booking Manager plugin (vendor wpdevelop) at versions up to and including 2.1.17 are affected. The plugin is a common booking solution for WordPress installations, and any site deploying this version is at risk.

The CVSS score of 6.5 points to a moderate overall risk, and the EPSS score of less than 1% indicates that the probability of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an attacker submitting malicious content through the plugin’s booking or comment entry forms, which is then rendered without proper sanitization. An attacker does not need to bypass authentication; however, submitting content that remains visible to other site visitors is required. Once the stored payload is delivered to a user, the script executes in that user’s browser context, potentially giving the attacker access to authenticated sessions if proper cookie handling is not observed.