Product: Bookly #1 WordPress Booking Plugin (Lite Version)
Version: 13.2
Active installations: 10,000+
Product page:
CVE: 2018-6891


An unauthenticated user can inject arbitrary persistent javascript code in the admin panel.

Proof of Concept


Bookly Lite 13.2 and Bookly Pro 14.5 are affected, probably even earlier versions.
I think the problem is that jQuery.ajax request is not sanitized in ng-payment_details_dialog.js. [*]

07/01/2018 - I send the report
26/01/2018 - Bookly Lite is updated to version 14.5 and the vulnerability is fixed
10/02/2018 - Public disclosure

[*] I have been very busy these days, so I could not read the code of the plug-in.