WordPress Bookly Lite 13.2 Cross Site Scripting

WordPress Bookly Lite plugin version 13.2 suffers from a persistent cross site scripting vulnerability.


MD5 | 112e7dd3b55bbb6e67772fd4f3728bd9

In January I found a stored XSS in Bookly WP Plugin (10,000+ download for
Lite version on official WordPress plugin site and 18,000+ for Pro version
on CodeCanyon).

Link of Bookly stored XSS proof-of-concept:
https://www.gubello.me/blog/bookly-blind-stored-xss/

During the booking phase, an unauthenticated user can inject arbitrary
code into the *Name* field of the plugin. The code will run in the admin
panel when an administrator checks the payments on the page
*bookly-payments*."

Related Posts

Comments