The vagaro_booking_widget plugin for WordPress suffers from a stored cross‑site scripting flaw. An attacker can supply a malicious payload in the vagaro_code parameter, which the plugin fails to sanitise and escape before saving. The payload is persistently stored and later executed whenever any user views a page that includes the plugin’s output, giving the attacker the ability to run arbitrary JavaScript in the victim’s browser. This can lead to theft of session cookies, defacement, or other client‑side attacks.

All deployments of the Vagaro Booking Widget plugin for WordPress, up to and including release 0.3, are affected. Any WordPress site that has installed one of these versions, especially those that expose the vagaro_code field to unauthenticated users or allow public editing of plugin settings, is vulnerable.

The vulnerability carries a CVSS score of 7.2, indicating significant severity. Because the attack does not require authentication and only needs the plugin to be installed, it is highly exploitable in practice. No EPSS score is available and the issue is not listed in the CISA KEV catalog, but the stored XSS nature makes it a high‑risk vector for compromising site visitors. Both the scope and impact remain contained to the affected site and its users; however, any attacker who can deliver a payload could steal credentials or hijack sessions for that site’s audience.