An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details… The XSS payload is then executed when an authenticated administrator user views the booking on the Customer-booking page.
Inject XSS via most fields in the booking form, which will then be executed on the Customer-booking admin page, when viewed by an authenticated administrator.