Because of these vulnerabilities in roomcloud.php, the attackers can inject arbitrary web script or HTML via 10 parameters: “pin”, “lang”, “start_year”, “start_month”, “start_day”, “end_day”, “end_month”, “end_year”, “adults”, “children”.
Update the plugin.