The Bookly plugin for WordPress suffers from a stored XSS vulnerability (CWE-79) in the Color Profile parameter. This occurs because the plugin does not properly sanitize or escape input before rendering it on web pages. Authenticated users with low privileges (staff member role or Subscriber-level access and above) can exploit this to inject malicious scripts. These scripts execute in the context of users who access the injected pages, potentially leading to session hijacking or other client-side attacks. The vulnerability is present in all versions up to 23.2. No patch or official fix information is provided in the available data.

Successful exploitation allows authenticated users with relatively low privileges to inject and execute arbitrary JavaScript in the browsers of other users viewing the affected pages. This can lead to information disclosure, session hijacking, or other client-side impacts. The vulnerability does not affect availability and requires user interaction (viewing the injected page). The CVSS vector indicates network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict or monitor staff member and Subscriber-level access to trusted users only. Consider applying web application firewall (WAF) rules to detect and block suspicious input related to the Color Profile parameter. Avoid exposing affected plugin pages to untrusted users. Monitor vendor channels for updates and apply official patches promptly once released.