Bookly #1 WordPress Booking Plugin (Lite) 13.2 – Blind Stored XSS


Product: Bookly #1 WordPress Booking Plugin (Lite Version)
Version: 13.2
Active installations: 10,000+
Product page:
CVE: 2018-6891


An unauthenticated user can inject arbitrary persistent javascript code in the admin panel.


Bookly Lite 13.2 and Bookly Pro 14.5 are affected, probably even earlier versions.
I think the problem is that jQuery.ajax request is not sanitized in ng-payment_details_dialog.js.[*]

07/01/2018 – I send the report
26/01/2018 – Bookly Lite is updated to version 14.5 and the vulnerability is fixed
10/02/2018 – Public disclosure


[*] I have been very busy these days, so I could not read the code of the plug-in.