Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
Go to Bookly> Settings > Logs Do a search and intercept the request The parameter columns%5B0%5D%5Bdata%5D
with value created_at
is vulnerable to payloads like the following (select*from(select(sleep(10)))a)
See the delay in the SQL query.