Stored Cross-Site Scripting in Bookly Plugin for WordPress
CVE-2023-1172

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: WordPress Online Booking and Scheduling Plugin – Bookly
Vendor: CVE Published:; 17 March 2023

Summary

The Bookly plugin for WordPress presents a significant security vulnerability due to its failure to properly sanitize input and escape output. This allows unauthenticated attackers to execute arbitrary scripts that can be injected through the 'full name' input field. When users visit affected pages, these scripts are executed, which could lead to unauthorized actions or data theft. Website owners using the vulnerable versions are urged to update to the latest version to mitigate this risk.

Affected Version(s)

WordPress Online Booking and Scheduling Plugin – Bookly 21.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 17, 2023
Vulnerability Reserved
Mar 3, 2023

Credit

Vinay Kumar