Online Scheduling And Appointment Booking System Bookly
Monthly
Stored cross-site scripting in the Bookly Online Scheduling and Appointment Booking System plugin for WordPress (versions through 27.2) allows remote unauthenticated attackers to inject arbitrary JavaScript via the 'bookly-customer-full-name' cookie, which is rendered without proper sanitization or output escaping. Exploitation is gated by the non-default 'Remember personal information in cookies' setting being enabled, and no public exploit identified at time of analysis. The flaw was reported by Wordfence and the upstream fix landed in changeset 3504922 in the WordPress plugin repository.
Stored cross-site scripting in the Bookly Online Scheduling and Appointment Booking System plugin for WordPress (versions through 27.2) allows remote unauthenticated attackers to inject arbitrary JavaScript via the 'bookly-customer-full-name' cookie, which is rendered without proper sanitization or output escaping. Exploitation is gated by the non-default 'Remember personal information in cookies' setting being enabled, and no public exploit identified at time of analysis. The flaw was reported by Wordfence and the upstream fix landed in changeset 3504922 in the WordPress plugin repository.