CVE-2018-6891
Description
Bookly Lite before 14.5 has an unauthenticated stored XSS via a jQuery.ajax request to ng-payment_details_dialog.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bookly Lite before 14.5 has an unauthenticated stored XSS via a jQuery.ajax request to ng-payment_details_dialog.js.
Vulnerability
A blind stored XSS vulnerability exists in the Bookly #1 WordPress Booking Plugin Lite version before 14.5 (and possibly Bookly Pro before 14.5). The flaw resides in ng-payment_details_dialog.js, where a jQuery.ajax request lacks proper sanitization, allowing injection of arbitrary JavaScript [3].
Exploitation
An unauthenticated attacker can send a crafted jQuery.ajax request to the ng-payment_details_dialog.js endpoint with malicious script in the payment details fields. The injected script is stored and executed in the admin panel when an administrator views the affected page [3].
Impact
Successful exploitation results in persistent cross-site scripting (XSS) within the WordPress admin panel, enabling the attacker to steal session cookies, perform administrative actions, or deface the site. The attacker gains the same privileges as the admin user [3].
Mitigation
Update to Bookly Lite version 14.5 (released 26 January 2018) or later [3]. For Bookly Pro users, upgrade to the latest available version to ensure the fix is applied. No workaround is documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- wordpress.org/plugins/bookly-responsive-appointment-booking-tool/mitrex_refsource_MISC
- www.gubello.me/blog/bookly-blind-stored-xss/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.