Share
## https://sploitus.com/exploit?id=WPEX-ID:DEA6077A-81EE-451F-B049-3749A2252C88
1. As an admin user, visit the Bookly > Appearance page.
2. Click "Save" and intercept the request.
3. In the body of the request, update the value of one of the attributes for any of the following option names (it will be of the format `options%5Bbookly_OPTION_NAME%5D=TEXT` and append the following payload after the value: `%3Cimg%20src=x%20onerror=alert(/xss/)%3E`

  Affected option names:
    - `bookly_l10n_button_back`
    - `bookly_l10n_button_download_ics`
    - `bookly_l10n_button_time_next`
    - `bookly_l10n_button_time_prev`
    - `bookly_l10n_label_email_confirm`
    - `bookly_l10n_label_email`
    - `bookly_l10n_label_finish_by`
    - `bookly_l10n_label_first_name`
    - `bookly_l10n_label_last_name`
    - `bookly_l10n_label_name`
    - `bookly_l10n_label_notes`
    - `bookly_l10n_label_pay_locally`
    - `bookly_l10n_label_phone`
    - `bookly_l10n_label_select_date`
    - `bookly_l10n_label_start_from`
    - `bookly_l10n_label_terms`
    - `bookly_l10n_step_details_button_login`
    - `bookly_l10n_step_details_button_next`
    - `bookly_l10n_step_done_button_start_over`
    - `bookly_l10n_step_service_button_next`
    - `bookly_l10n_step_service_mobile_button_next`

4. Add the `[bookly-form]` shortcode to a post and visit that post to trigger the XSS. Note that for some of the options above you may need to navigate through the steps of the form.