Vagaro Booking Widget Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Vagaro Booking Widget plugin for WordPress, affecting all versions prior to and including 0.3. The issue arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts through the 'vagaro_code' parameter. These injected scripts are executed when users access the compromised pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an unauthenticated user can inject a script into the 'vagaro_code' parameter. This can be done by submitting a form or through a URL that includes the parameter with the malicious script. Once the injection is made, the script will execute when the page is accessed.