Bookly < 20.3.1 – Staff Member Stored Cross-Site Scripting | CVE 2021-24930 | Plugin Vulnerabilities

Description

The plugin does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue

Proof of Concept

As a Staff Member, put the following payload in your Full Name (Booklyn --> Profile --> Edit --> Full Name): <script>alert(/XSS/)</script>

The XSS will be triggered when an admin open the Staff members order page (Booklyn --> Staff Members --> Staff member order)

Affects Plugins

bookly-responsive-appointment-booking-tool

Fixed in 20.3.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mesut Cetin

Submitter

Mesut Cetin

Verified

Yes

WPVDB ID

479704d8-057b-4642-b84a-4a78567ba20b

Timeline

Publicly Published

2021-11-08 (about 2 years ago)

Added

2021-11-08 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

All in One Adsense YPN 2.0.1 - all-in-one-adsense-&-ypn.php Direct Request AdSense Account Manipulation

Published

2023-03-30

Title

Premmerce Redirect Manager < 1.0.12 - Admin+ Stored XSS

Published

2022-05-25

Title

Private Messages For WordPress <= 2.1.10 - Subscriber+ Stored Cross-Site Scripting

Published

2021-10-05

Title

WP-Recall < 16.24.48 - Reflected Cross-Site Scripting

Published

2023-11-03

Title

ShortCodes UI <= 1.9.8 - Contributor+ Stored XSS