The plugin does not escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CPE | Name | Operator | Version |
---|---|---|---|
booking-calendar | lt | 3.2.4 |