Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Online Scheduling and Appointment Booking System - Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero.
AnalysisAI
Price manipulation in Bookly WordPress plugin (versions up to 27.0) allows unauthenticated attackers to reduce appointment booking costs to zero by submitting negative values to the 'tips' parameter, exploiting insufficient server-side validation of user-supplied pricing input. No public exploit code or active exploitation has been confirmed, but the vulnerability carries moderate risk due to its ease of exploitation and direct financial impact on e-commerce transactions.
Technical ContextAI
Bookly is a WordPress plugin for online appointment scheduling and payment processing. The vulnerability exists in the plugin's handling of the 'tips' parameter, which is processed without proper server-side validation in multiple locations (UserBookingData.php line 355, Ajax.php line 709, and CartInfo.php line 450). The root cause is classified as CWE-472 (Insufficient Input Validation), where the plugin trusts client-supplied pricing data without verifying it against the configured appointment price on the server. This is a classic business logic vulnerability in e-commerce systems where cost calculations should never rely solely on client-side inputs or user-provided values without backend verification. The affected product is the Online Scheduling and Appointment Booking System - Bookly plugin distributed through the WordPress plugin repository.
RemediationAI
Update the Bookly plugin immediately to a version after 27.0 where server-side validation of the 'tips' parameter has been implemented. The vendor has released a fix as referenced in the official changelog at https://www.booking-wp-plugin.com/change-log/ and changeset 3480956. Administrators should verify the update through WordPress admin panel (Plugins > Installed Plugins > Bookly) and confirm the new version is running. As a temporary workaround pending update, disable the tips/gratuity feature in Bookly settings if business requirements permit, or implement Web Application Firewall (WAF) rules to reject booking requests with negative tip values. Server-side validation fixes should ensure all pricing fields are recalculated server-side from the configured appointment rates, never trusting client-supplied values for financial calculations.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20890
GHSA-ghp2-h9w4-7r66