The vulnerability is a stored Cross‑Site Scripting flaw that occurs because the Taxi Booking Manager for WooCommerce plugin does not properly neutralize user‑supplied input before rendering it in a web page. A malicious actor can inject malicious scripts that will execute within the browser context of any authenticated user who views the affected page, potentially enabling session hijacking, defacement, or theft of sensitive data. The weakness is characterized as CWE‑79, indicating that user input was inadequately sanitized before output.

Magepeople inc.’s Taxi Booking Manager for WooCommerce plugin, versions from any to 2.0.0 inclusive, are affected. The issue is reported for all releases up to and including 2.0.0, with the latest advisory recommending upgrade to 2.0.1 or later.

The CVSS score of 6.5 reflects moderate severity; the EPSS score of below 1% indicates a low likelihood of exploitation based on current data sets. The plug‑in is not listed in CISA KEV, so no known active exploitation is reported. Based on the description, it is inferred that attackers would likely use a crafted web request to a booking or administrative page to inject a persistent payload. Even without a public exploit, the risk remains significant for sites that accept user input through the plugin.