Description The plugin does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators
As an unauthenticated user, submit a booking form (such form can be added via the Booking Calendar Block on a page/post) with the payload below in the First or Last Name field:
"><img src=1 onerror="javascript:alert(document.cookie)"></img>
Which is the HTML encoded of ><img src=1 onerror="javascript:alert(document.cookie)"></img>
The XSS will be triggered when an admin will access the calendar overview dashboard (ie /wp-admin/admin.php?page=wpbc&view_days_num=90&view_mode=vm_calendar)