CVE-2024-5584

Vulnerability

The Bookly plugin for WordPress (versions up to and including 23.2) contains a stored cross-site scripting (XSS) vulnerability in the Color Profile parameter. Insufficient input sanitization and output escaping allow authenticated users with at least Subscriber-level access and the staff member role to inject arbitrary HTML and JavaScript. The injected script is stored and executed when any user accesses the affected page. [1]

Exploitation

An attacker must have a valid WordPress account with the staff member role and Subscriber-level access or higher. The attacker can then craft a malicious payload in the Color Profile field, which is not properly sanitized. Upon saving, the payload is stored and will execute in the browsers of other users (including administrators) who view the page containing the injected content. No additional user interaction is required beyond visiting the page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive information, or further actions within the WordPress admin interface if the victim is an administrator. The attack is persistent and can affect multiple users.

Mitigation

The vulnerability is fixed in versions after 23.2. Users should update to the latest version (currently 27.5) available from the WordPress plugin repository [1]. No workarounds are documented. The plugin is actively maintained, and no EOL status has been announced. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.