EUVD-2026-20890
GHSA-ghp2-h9w4-7r66
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Description
The Online Scheduling and Appointment Booking System - Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero.
Analysis
Price manipulation in Bookly WordPress plugin (versions up to 27.0) allows unauthenticated attackers to reduce appointment booking costs to zero by submitting negative values to the 'tips' parameter, exploiting insufficient server-side validation of user-supplied pricing input. No public exploit code or active exploitation has been confirmed, but the vulnerability carries moderate risk due to its ease of exploitation and direct financial impact on e-commerce transactions.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today