CVE-2024-3636: 
WordPress vulnerability analysis and mitigation

The Pinpoint Booking System WordPress plugin before version 2.9.9.4.8 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on July 15, 2024, and affects the plugin's settings functionality. The issue stems from improper sanitization and escaping of certain settings fields, particularly affecting high-privilege users such as administrators (WPScan).

The vulnerability exists due to insufficient input validation in the plugin's email and SMS template settings. When processing certain fields like the 'Name' field in email templates, the plugin fails to properly sanitize and escape user input. This remains exploitable even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (low) (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. When exploited, the attacker could potentially execute arbitrary JavaScript code in the context of other users' browsers who access the affected pages, potentially leading to session hijacking or other client-side attacks (WPScan).

The vulnerability has been fixed in version 2.9.9.4.8 of the Pinpoint Booking System plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).