CVE-2023-4620: 
WordPress vulnerability analysis and mitigation

The Booking Calendar WordPress plugin before version 9.7.3.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on September 11, 2023, and affects the plugin's booking form data handling functionality. The issue stems from insufficient sanitization and escaping of booking form data, which can be exploited by unauthenticated users (WPScan Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is tracked as CWE-79 and allows unauthenticated users to inject malicious scripts through the booking form's First or Last Name fields. The injected payload becomes active when an administrator accesses the calendar overview dashboard (NVD Database).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of an administrator's browser session. This can lead to the theft of sensitive information, including administrator cookies and session tokens, potentially enabling account takeover or further system compromise (WPScan Advisory).

The vulnerability has been patched in version 9.7.3.1 of the Booking Calendar plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan Advisory).