CVE-2018-5671

Name of the Vulnerable Software and Affected Versions: booking-calendar plugin version 2.1.7

Description: A security issue was found in the booking-calendar plugin for WordPress. This issue allows for cross-site scripting (XSS) attacks through the wp-admin/admin.php endpoint, specifically via the extra field1[items][field item1][price percent] parameter.

Recommendations: For version 2.1.7, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the wp-admin/admin.php endpoint or avoiding the use of the extra field1[items][field item1][price percent] parameter until the issue is resolved.