Stored Cross-Site Scripting in Bookly Plugin for WordPress
CVE-2023-1159

4.8MEDIUM

Key Information:

Vendor
Wordpress
Status
WordPress Online Booking and Scheduling Plugin – Bookly
Vendor
CVE Published:
2 June 2023

Summary

The Bookly plugin for WordPress has a vulnerability that allows authenticated users with administrative privileges to execute arbitrary web scripts through service titles. This issue arises from inadequate input sanitization and output escaping, specifically impacting multi-site setups and installations where unfiltered HTML has been disabled. When exploited, this vulnerability enables attackers to inject malicious scripts into pages, executing them when users access these compromised pages.

Affected Version(s)

WordPress Online Booking and Scheduling Plugin – Bookly 21.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Vinay Kumar
.