WordPress is a popular content management system that allows users to create and manage websites with the help of various plugins. One such plugin widely used by over 60,000 websites is the “WordPress Online Booking and Scheduling Plugin – Bookly.” Bookly streamlines online bookings and automates the reservation process. However, like many other WordPress plugins, it, too, can be vulnerable to exploitation by attackers.
In March 2023, Quick Heal Security Labs identified a vulnerability in the Bookly plugin. As soon as we discovered the flaw, we initiated responsible disclosure procedures to ensure that the vulnerability would be addressed promptly. On March 3, 2023, we contacted the Bookly plugin support team after discovering the vulnerability earlier that day and provided them with the full technical details. We also notified firstname.lastname@example.org and Wordfence (CNA) of the vulnerability. The vulnerability was quickly acknowledged and assigned the CVE-2023-1172 identifier. The Bookly team worked on developing a patch and released it on March 9, 2023, in version 21.5.1.
In this post, we will conduct a thorough analysis of the root cause of the vulnerability found in the Bookly plugin, as well as an examination of the patch that was released to address the issue.
Analysing CVE–2023-1172 – Unauthenticated Stored Cross-Site Scripting via Name:
Our research revealed that the Bookly plugin’s “Full name” field was vulnerable to stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping. We further investigated and found that the plugin reuses the user’s “Full name” input in multiple files, significantly increasing the risk of security breaches if the input is not properly sanitized and escaped to prevent malicious code injection. The below code snippet demonstrates how the value of the “Full name” field is utilized:
As shown below, the “Full name” field value is stored in the variable $codes.
Subsequently, the variable $codes is utilized in the calendar’s tooltip.
However, there appears to be a lack of proper sanitization measures when utilizing the $codes variable later in the program.
Resolving the Issue: A Look at the Patch
After examining the patch that resolves the vulnerability, we discovered that the $codes variable is now adequately sanitized to prevent any potential security breaches in the program. Notably, the patch employs PHP’s “strip_tags” function to sanitize the $codes variable and mitigate the attack before it can be used elsewhere in the code.
This post highlighted a vulnerability in the Bookly plugin that could allow unauthenticated attackers to inject malicious scripts, potentially compromising a site owner’s entire site when they accessed the calendar tooltip from the plugin. Thankfully, the vulnerability has been fully resolved in version 21.5.1. We strongly recommend that WordPress site owners update their site to the latest patched version of the plugin (currently version 21.6 at the time of writing) to prevent potential attacks.
All SEQRITE and Quick Heal customers are protected against any exploits targeting this vulnerability through the following signatures: