This vulnerability (CVE-2026-28040) involves improper neutralization of input during web page generation in the Taxi Booking Manager for WooCommerce plugin by Magepeople inc. Specifically, it is a stored cross-site scripting (XSS) issue that affects versions up to 2.0.0. An attacker could inject malicious scripts that are stored and later executed in the context of users viewing affected pages. The CVSS v3.1 base score is 6.5 (medium), with network attack vector, low attack complexity, requiring low privileges and user interaction, and impacts confidentiality, integrity, and availability to a limited extent. No patch or official remediation has been published yet.

Successful exploitation of this stored XSS vulnerability could allow an attacker to execute arbitrary scripts in the context of users interacting with the affected plugin, potentially leading to limited confidentiality, integrity, and availability impacts. This could include session hijacking, defacement, or other malicious actions within the scope of the affected web application. However, no known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider applying workarounds such as disabling or limiting use of the affected plugin, or implementing web application firewall (WAF) rules to detect and block malicious input patterns related to XSS. Monitor vendor channels for updates and apply patches promptly once available.