CVE-2024-51628: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability has been identified in EzyOnlineBookings Online Booking System Widget through version 1.3. The vulnerability was discovered on November 1, 2024, and affects the WordPress plugin EzyOnlineBookings Online Booking System Widget. This DOM-Based XSS vulnerability requires contributor-level privileges to exploit (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue. It has been assigned CVE-2024-51628 and received a CVSS v3.1 score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is specifically a DOM-Based XSS type, affecting the widget functionality of the plugin (NVD).

The vulnerability could allow a malicious actor with contributor-level access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when guests visit the affected site (Patchstack).

As of the vulnerability disclosure, no official fix is available for this security issue. The vulnerability affects versions up to and including 1.3 of the EzyOnlineBookings Online Booking System Widget (Patchstack).