Priyanka Pande

**Name of the Vulnerable Software and Affected Versions** The Salon booking system WordPress plugin versions prior to 9.6.3 **Description** The issue arises from improper sanitization and escaping of the `Mobile Phone` field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload is triggered when an admin visits the "Customers" page, and the malicious script is executed in the admin context. **Recommendations** For versions prior to 9.6.3, update to version 9.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Customers" page for admins until the update is applied. Additionally, avoid using the `Mobile Phone` field in the booking system until the issue is resolved.