The plugin does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue
As a Staff Member, put the following payload in your Full Name (Booklyn --> Profile --> Edit --> Full Name): <script>alert(/XSS/)</script> The XSS will be triggered when an admin open the Staff members order page (Booklyn --> Staff Members --> Staff member order)
Mesut Cetin
Mesut Cetin
Yes
2021-11-08 (about 1 years ago)
2021-11-08 (about 1 years ago)
2022-04-12 (about 1 years ago)