WordPress Bookly Lite plugin version 13.2 suffers from a persistent cross site scripting vulnerability.
1e099cc6690be2bd8587eb15b9d5614597c0c1247f792e3a27b45507ad09905aIn January I found a stored XSS in Bookly WP Plugin (10,000+ download for
Lite version on official WordPress plugin site and 18,000+ for Pro version
on CodeCanyon).
Link of Bookly stored XSS proof-of-concept:
https://www.gubello.me/blog/bookly-blind-stored-xss/
During the booking phase, an unauthenticated user can inject arbitrary
code into the *Name* field of the plugin. The code will run in the admin
panel when an administrator checks the payments on the page
*bookly-payments*."
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed