The plugin does not perform any authorisation check when a user book an appointment using an email from an existing account, allowing unauthenticated attackers to login as any user from the blog by providing their email address
On a page where the [bookit] is embed, book an appointment using an email address from a user on the blog