CVE-2022-1932: 
WordPress vulnerability analysis and mitigation

The Rezgo Online Booking WordPress plugin before version 4.1.8 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1932. The vulnerability was discovered in July 2022 and affects the plugin's parameter handling functionality. The issue exists because the plugin does not properly sanitize and escape certain parameters before outputting them back in a page (WPScan).

The vulnerability has a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue can be exploited in two ways: either via a Local File Inclusion (LFI) in an AJAX action, or through direct calls to the affected file. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, WPScan).

The vulnerability allows attackers to execute cross-site scripting attacks against users who visit specially crafted URLs. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser (WPScan).

The vulnerability has been fixed in version 4.1.8 of the Rezgo Online Booking plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).