Bookero Pl System Rezerwacji Online
Monthly
Stored Cross-Site Scripting in the Bookero.pl WordPress booking plugin (versions up to and including 2.2) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the `bookero_products` shortcode. The `bookero_products()` function in `libraries/bookero-front.php` (lines 173-174) concatenates the raw `hide_products` and `filter_products` attribute values directly into an inline `<script>` block with no sanitization or output escaping, meaning any page rendered with the poisoned shortcode will execute the attacker-supplied script in every visitor's browser. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Bookero.pl WordPress booking plugin (versions up to and including 2.2) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the `bookero_products` shortcode. The `bookero_products()` function in `libraries/bookero-front.php` (lines 173-174) concatenates the raw `hide_products` and `filter_products` attribute values directly into an inline `<script>` block with no sanitization or output escaping, meaning any page rendered with the poisoned shortcode will execute the attacker-supplied script in every visitor's browser. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.