This vulnerability involves improper input sanitization in the Booking Calendar Contact Form plugin by codepeople, leading to stored cross-site scripting (XSS). Specifically, user input is not properly neutralized before being included in web pages, enabling attackers to inject malicious scripts that persist and execute when other users access the affected content. The issue affects all versions up to 1.2.58. The CVSS score of 6.5 reflects a medium severity with potential impacts on confidentiality, integrity, and availability. No official patch or vendor advisory is currently provided, and no exploits have been reported in the wild.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of other users, potentially leading to information disclosure, session hijacking, or other impacts on confidentiality, integrity, and availability of the affected system. The medium CVSS score indicates a moderate risk level. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting use of the affected Booking Calendar Contact Form plugin versions (<= 1.2.58) or applying custom input sanitization as a temporary mitigation. Monitor vendor channels for updates and apply patches promptly once available.