• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Technical  /  WordPress Site Security Alert: Bookly Plugin Vulnerability Discovered and Patched
WordPress Site Security Alert: Bookly Plugin Vulnerability Discovered and Patched
29 March 2023

WordPress Site Security Alert: Bookly Plugin Vulnerability Discovered and Patched

Written by Vinay Kumar
Vinay Kumar
Technical

WordPress is a popular content management system that allows users to create and manage websites with the help of various plugins. One such plugin widely used by over 60,000 websites is the “WordPress Online Booking and Scheduling Plugin – Bookly.” Bookly streamlines online bookings and automates the reservation process. However, like many other WordPress plugins, it, too, can be vulnerable to exploitation by attackers.

In March 2023, Quick Heal Security Labs identified a vulnerability in the Bookly plugin. As soon as we discovered the flaw, we initiated responsible disclosure procedures to ensure that the vulnerability would be addressed promptly. On March 3, 2023, we contacted the Bookly plugin support team after discovering the vulnerability earlier that day and provided them with the full technical details. We also notified plugins@wordpress.org and Wordfence (CNA) of the vulnerability. The vulnerability was quickly acknowledged and assigned the CVE-2023-1172 identifier. The Bookly team worked on developing a patch and released it on March 9, 2023, in version 21.5.1.

In this post, we will conduct a thorough analysis of the root cause of the vulnerability found in the Bookly plugin, as well as an examination of the patch that was released to address the issue. 

Analysing CVE–2023-1172 – Unauthenticated Stored Cross-Site Scripting via Name:

Our research revealed that the Bookly plugin’s “Full name” field was vulnerable to stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping. We further investigated and found that the plugin reuses the user’s “Full name” input in multiple files, significantly increasing the risk of security breaches if the input is not properly sanitized and escaped to prevent malicious code injection. The below code snippet demonstrates how the value of the “Full name” field is utilized:

As shown below, the “Full name” field value is stored in the variable $codes.

Subsequently, the variable $codes is utilized in the calendar’s tooltip.

However, there appears to be a lack of proper sanitization measures when utilizing the $codes variable later in the program.

Resolving the Issue: A Look at the Patch

After examining the patch that resolves the vulnerability, we discovered that the $codes variable is now adequately sanitized to prevent any potential security breaches in the program. Notably, the patch employs PHP’s “strip_tags” function to sanitize the $codes variable and mitigate the attack before it can be used elsewhere in the code.

Conclusion

This post highlighted a vulnerability in the Bookly plugin that could allow unauthenticated attackers to inject malicious scripts, potentially compromising a site owner’s entire site when they accessed the calendar tooltip from the plugin. Thankfully, the vulnerability has been fully resolved in version 21.5.1. We strongly recommend that WordPress site owners update their site to the latest patched version of the plugin (currently version 21.6 at the time of writing) to prevent potential attacks.

All SEQRITE and Quick Heal customers are protected against any exploits targeting this vulnerability through the following signatures:

  • HTTP/CVE-2023-1172!VK.46842
  • HTTP/CVE-2023-1172!VK.47543

 

 Previous PostExpiro: Old Virus Resurfaces to Cast New Challenge
Next Post  Healthcare on High Alert: The Alarming Rise of Cyberattacks on eI...
Vinay Kumar

About Vinay Kumar

Vinay Kumar is a skilled Security Researcher at Quick Heal Security Labs with extensive experience in network security. Focused on vulnerability research, threat...

Articles by Vinay Kumar »

Related Posts

  • Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX & VShell malware

    Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX & VShell malware

    June 6, 2025
  • Unveiling Swan Vector APT Targeting Taiwan and Japan with varied DLL Implants

    May 12, 2025
  • Security Flaw in Yelp Help Viewer (CVE-2025-3155)

    May 12, 2025
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director of Quick Heal Technologies...

    Read more..
  • Mahua Chakrabarthy
    Mahua Chakrabarthy

    A tea connoisseur who firmly believes that life is too short for dull content....

    Read more..
Topics
apt (20) Cyber-attack (36) cyber-attacks (58) cyberattack (16) cyberattacks (13) Cybersecurity (324) cyber security (32) Cyber threat (33) cyber threats (48) Data (11) data breach (55) data breaches (28) data loss (28) data loss prevention (34) data privacy (12) data protection (25) data security (15) DLP (49) Encryption (16) endpoint security (108) Enterprise security (17) Exploit (14) firewall (11) GDPR (12) hackers (11) malware (76) malware attack (23) malware attacks (12) MDM (25) Microsoft (15) Network security (22) Patch Management (12) phishing (27) Ransomware (67) ransomware attack (30) ransomware attacks (30) ransomware protection (14) security (11) Seqrite (33) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (16) windows (11)
Loading
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • About Seqrite
  • Leadership
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category
Loading

© 2025 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies