CVE-2024-12077: 
WordPress vulnerability analysis and mitigation

The Booking Calendar and Booking Calendar Pro plugins for WordPress contain a Reflected Cross-Site Scripting vulnerability (CVE-2024-12077) discovered on January 6, 2025. The vulnerability affects all versions up to and including 3.2.19 and 11.2.19 respectively. This security issue stems from insufficient input sanitization and output escaping in the 'calendar_id' parameter (NVD CVE).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.1 (Medium). The attack vector is characterized as CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD CVE).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This can lead to potential compromise of user data and session information within the context of the affected WordPress site (NVD CVE).

Users should update their Booking Calendar and Booking Calendar Pro plugins to versions newer than 3.2.19 and 11.2.19 respectively, as these versions contain the vulnerability. The issue has been addressed in subsequent releases (NVD CVE).