Cross Site Scripting (XSS) vulnerability in Booking Core – Ultimate Booking System Booking Core 1.7.0. The â€œSubscribeâ€� feature of the application is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result, when an admin in the backend downloads and opens the CSV, the content of the cells is executed. Vulnerable fields: First name and Last name of the â€œSubscribeâ€� request.