WordPress Plugin Vulnerabilities

Bookly < 21.6 - Unauthenticated Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
bookly-responsive-appointment-booking-tool
Fixed in 21.6

References

CVE
CVE-2023-1172

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Vinay Kumar
Verified
No
WPVDB ID
ad3dea0f-896d-4303-88b6-8a485837334d

Timeline

Publicly Published
2023-03-17 (about 3 years ago)
Added
2023-03-17 (about 3 years ago)
Last Updated
2023-03-17 (about 3 years ago)

Other

Published
Title
Published
2021-05-16
Title
Listeo < 1.6.11 - Multiple XSS & XFS vulnerabilities
Published
2025-03-27
Title
Chartify < 3.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-12-24
Title
WP2LEADS < 3.3.4 - Reflected Cross-Site Scripting
Published
2025-01-09
Title
Tourmaster < 5.3.5 - Reflected XSS
Published
2014-08-01
Title
Category Grid View Gallery 2.3.1 - CatGridPost.php ID Parameter XSS