The plugin does not sanitise and escape the email and general field parameters, which could allow unauthenticated users to perform iFrame injection attack
As an unauthenticated user, submit a booking and put an iFrame payload in the email/general field parameter
The iFrame will be executed when a user access the injected booking page