Stored Cross-Site Scripting in Bookly Plugin for WordPress
CVE-2023-1159

4.8MEDIUM

Key Information:

Vendor: Wordpress
Status: WordPress Online Booking and Scheduling Plugin – Bookly
Vendor: CVE Published:; 2 June 2023

What is CVE-2023-1159?

The Bookly plugin for WordPress has a vulnerability that allows authenticated users with administrative privileges to execute arbitrary web scripts through service titles. This issue arises from inadequate input sanitization and output escaping, specifically impacting multi-site setups and installations where unfiltered HTML has been disabled. When exploited, this vulnerability enables attackers to inject malicious scripts into pages, executing them when users access these compromised pages.

Affected Version(s)

WordPress Online Booking and Scheduling Plugin – Bookly 21.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2023
Vulnerability Reserved
Mar 2, 2023

Credit

Vinay Kumar