CVE-2023-1159

Name of the Vulnerable Software and Affected Versions Bookly plugin for WordPress versions up to, and including, 21.5

Description The issue is related to Stored Cross-Site Scripting via service titles due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrative privileges to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. The issue specifically affects multi-site installations and installations where unfiltered html has been disabled.

Recommendations For Bookly plugin for WordPress versions up to, and including, 21.5, update to a version higher than 21.5 to resolve the issue. As a temporary workaround, consider restricting access to service title editing for users with administrative privileges to minimize the risk of exploitation.