Bookly #1 WordPress Booking Plugin (Lite) 13.2 – Blind Stored XSS

INFO

Product: Bookly #1 WordPress Booking Plugin (Lite Version)
Version: 13.2
Active installations: 10,000+
Product page: https://wordpress.org/plugins/bookly-responsive-appointment-booking-tool/
CVE: 2018-6891

DESCRIPTION

An unauthenticated user can inject arbitrary persistent javascript code in the admin panel.

PROOF OF CONCEPT


Bookly Lite 13.2 and Bookly Pro 14.5 are affected, probably even earlier versions.
I think the problem is that jQuery.ajax request is not sanitized in ng-payment_details_dialog.js.[*]

07/01/2018 – I send the report
26/01/2018 – Bookly Lite is updated to version 14.5 and the vulnerability is fixed
10/02/2018 – Public disclosure

 

[*] I have been very busy these days, so I could not read the code of the plug-in.