Bookly < 20.3.1 – Staff Member Stored Cross-Site Scripting | CVE 2021-24930 | Plugin Vulnerabilities

Description

The plugin does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue

Proof of Concept

As a Staff Member, put the following payload in your Full Name (Booklyn --> Profile --> Edit --> Full Name): <script>alert(/XSS/)</script>

The XSS will be triggered when an admin open the Staff members order page (Booklyn --> Staff Members --> Staff member order)

Affects Plugins

bookly-responsive-appointment-booking-tool

Fixed in 20.3.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mesut Cetin

Submitter

Mesut Cetin

Verified

Yes

WPVDB ID

479704d8-057b-4642-b84a-4a78567ba20b

Timeline

Publicly Published

2021-11-08 (about 4 years ago)

Added

2021-11-08 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2024-05-03

Title

Breakdance < 1.7.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta

Published

2025-03-31

Title

byBrick Accordion <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-26

Title

Uncode < 2.9.4.4 - Reflected Cross-Site Scripting

Published

2024-12-17

Title

WP eCommerce Quickpay <= 1.1.0 - Reflected Cross-Site Scripting

Published

2019-09-28

Title

Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS)