WordPress Bookly Lite plugin version 13.2 suffers from a persistent cross site scripting vulnerability.
112e7dd3b55bbb6e67772fd4f3728bd9In January I found a stored XSS in Bookly WP Plugin (10,000+ download for
Lite version on official WordPress plugin site and 18,000+ for Pro version
on CodeCanyon).
Link of Bookly stored XSS proof-of-concept:
https://www.gubello.me/blog/bookly-blind-stored-xss/
During the booking phase, an unauthenticated user can inject arbitrary
code into the *Name* field of the plugin. The code will run in the admin
panel when an administrator checks the payments on the page
*bookly-payments*."