The vulnerability stemmed from insufficient input sanitization in book metadata handling. The commit diff shows sanitize_string() was added as a callback for several fields including pb_about_unlimited (Long Description). Prior to 5.18.0, these fields lacked proper HTML filtering. The proof-of-concept demonstrates that raw HTML/JS in Long Description was stored and executed, indicating missing sanitization in the save workflow. The vulnerable functions are those responsible for processing and storing user input in book metadata without adequate XSS protection.