CVE-2022-29443: 
WordPress vulnerability analysis and mitigation

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered in Nicdark's Hotel Booking WordPress plugin versions 3.2 and below. The vulnerability was assigned CVE-2022-29443 and was publicly disclosed on May 26, 2022. The issue affects users with contributor or higher user roles who could potentially exploit the XSS vulnerabilities (Patchstack, WPScan).

The vulnerability stems from the plugin's failure to properly sanitize and escape certain parameters, allowing users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. The vulnerability has been assigned a CVSS score of 4.1 (Low severity) and is classified under OWASP Top 10 category A7: Cross-Site Scripting (XSS) and CWE-79 (Patchstack, WPScan).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

The vulnerability was fixed in version 3.3 of the Hotel Booking plugin. Users are advised to update to version 3.3 or later to remove the vulnerability. The update includes improved sanitation on POST requests (WordPress Plugin, Patchstack).