Product: Bookly #1 WordPress Booking Plugin (Lite Version)
Active installations: 10,000+
Product page: https://wordpress.org/plugins/bookly-responsive-appointment-booking-tool/
PROOF OF CONCEPT
Bookly Lite 13.2 and Bookly Pro 14.5 are affected, probably even earlier versions.
I think the problem is that jQuery.ajax request is not sanitized in ng-payment_details_dialog.js.[*]
07/01/2018 – I send the report
26/01/2018 – Bookly Lite is updated to version 14.5 and the vulnerability is fixed
10/02/2018 – Public disclosure
[*] I have been very busy these days, so I could not read the code of the plug-in.