The vulnerability lies within the way the `surbma-bookingcom` shortcode processes user input in the Surbma | Booking.com Shortcode plugin. Authenticated users with at least contributor-level access can craft shortcode attributes containing malicious scripts. These scripts are stored in WordPress posts or pages and subsequently executed in the browser of any visitor accessing the compromised content, potentially leading to session hijacking or unauthorized actions performed in the context of the victim's session. The lack of input validation and output escaping makes it possible for attackers to inject payloads that are executed as scripts, emphasizing the need for thorough validation of data input and escaping of output when generating HTML content. This stored XSS issue impacts all plugin versions up to 2.1, representing a significant security risk if exploited in a WordPress environment where contribution-level users are common.

To mitigate this vulnerability, update the plugin to a later version that includes a patch for this issue. Additionally, enforce strict access controls, limiting shortcode usage to trusted users only. Implement a web application firewall (WAF) to help filter out malicious requests and review your site for any instances of the vulnerable shortcode being improperly used, removing or correcting as necessary. Consider sanitizing and escaping all dynamic content in themes and plugins to prevent similar vulnerabilities.