During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: Webba Booking plugin <= 4.2.21


Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered 
by Asif Nawaz Minhas (Patchstack Alliance) in Webba Booking plugin <= 4.2.21


On the left column go to Webba Booking > Services. Add there a new service and name it test. Here it’s compulsory to add an email address. Add hacker@notarealemail.com and then click on the Save and Close button. 

Add also a service category by going to Webba Booking > Service categories and click here on the  button Add Service Category. Name it test and click here also on the Save and Close button. 

Now go to Webba Booking > Settings.  Click now on the tab Translation. 

Add where Select date label (extended mode) is mentioned the following payload: 


Now scroll all the way down and click on the blue button Save Changes. 

Create a new page with the following shortcode: 


And save and publish the page. 

Log out of wordpress and visit this page. 

Now you can see the authenticated stored XSS popping up. 

Additional information

PATCHSTACK link: https://patchstack.com/database/vulnerability/webba-booking-lite/wordpress-webba-booking-plugin-4-2-21-authenticated-stored-cross-site-scripting-xss-vulnerability

Plugin has more than 2,000+ active installations.