The Bookly plugin for WordPress contains a Stored Cross-Site Scripting vulnerability that could allow unauthenticated attackers to execute malicious scripts in a user's browser.

This is a Stored XSS vulnerability located within the 'bookly-customer-full-name' cookie parameter. The flaw allows an unauthenticated attacker to inject arbitrary client-side scripts that execute when a victim views the affected data.

Successful exploitation allows attackers to steal sensitive session cookies, perform unauthorized actions on behalf of administrators, or redirect users to malicious sites. Given the CVSS score of 7.2, this high-severity flaw poses a significant risk to the integrity and confidentiality of WordPress site management.

Immediate Action: Update the Bookly plugin to the latest available version provided by the vendor to ensure the vulnerability is patched.

Proactive Monitoring: Review web server and application logs for suspicious characters or script tags originating from booking-related cookies.

Compensating Controls: Deploy a Web Application Firewall (WAF) with robust XSS filtering rules to inspect and sanitize incoming cookie data.

Public Exploit Available: false

Administrators should prioritize updating the Bookly plugin immediately. Failure to address this vulnerability could lead to site-wide compromise through administrative account takeover.