CVE-2024-38676: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Booking Ultra Pro plugin versions up to 1.1.13. The vulnerability was identified on July 10, 2024, and assigned CVE-2024-38676. This security flaw affects the WordPress Booking Ultra Pro Appointments Booking Calendar Plugin (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue, identified as CWE-79. The CVSS v3.1 base score is 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating that the vulnerability requires low attack complexity and limited privileges to exploit (Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. This could potentially lead to unauthorized data access and manipulation of website content (Patchstack).

Users are advised to update to Booking Ultra Pro version 1.1.14 or later to remediate this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).