Bookly < 22.5 – Admin+ Stored XSS | CVE 2023-5209

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. As an admin user, visit the Bookly > Appearance page.
2. Click "Save" and intercept the request.
3. In the body of the request, update the value of one of the attributes for any of the following option names (it will be of the format `options%5Bbookly_OPTION_NAME%5D=TEXT` and append the following payload after the value: `%3Cimg%20src=x%20onerror=alert(/xss/)%3E`

  Affected option names:
    - `bookly_l10n_button_back`
    - `bookly_l10n_button_download_ics`
    - `bookly_l10n_button_time_next`
    - `bookly_l10n_button_time_prev`
    - `bookly_l10n_label_email_confirm`
    - `bookly_l10n_label_email`
    - `bookly_l10n_label_finish_by`
    - `bookly_l10n_label_first_name`
    - `bookly_l10n_label_last_name`
    - `bookly_l10n_label_name`
    - `bookly_l10n_label_notes`
    - `bookly_l10n_label_pay_locally`
    - `bookly_l10n_label_phone`
    - `bookly_l10n_label_select_date`
    - `bookly_l10n_label_start_from`
    - `bookly_l10n_label_terms`
    - `bookly_l10n_step_details_button_login`
    - `bookly_l10n_step_details_button_next`
    - `bookly_l10n_step_done_button_start_over`
    - `bookly_l10n_step_service_button_next`
    - `bookly_l10n_step_service_mobile_button_next`

4. Add the `[bookly-form]` shortcode to a post and visit that post to trigger the XSS. Note that for some of the options above you may need to navigate through the steps of the form.