Skip to main content

Bookly WordPress Plugin CVE-2026-5513

| EUVD-2026-36651 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-13 Wordfence GHSA-pfrr-cpcq-w8m8
WordPress XSS Online Scheduling And Appointment Booking System Bookly
7.2
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.7 MEDIUM

Network-reachable and unauthenticated, but AC:H and UI:R because the non-default cookie-remember setting must be enabled and the attacker must induce cookie state plus a victim visit; XSS scope-changes into the browser with low C/I impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 12:16 vuln.today
CVE Published
Jun 13, 2026 - 11:25 cve.org
HIGH 7.2

DescriptionNVD

The Online Scheduling and Appointment Booking System - Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires 'Remember personal information in cookies' setting to be enabled (disabled by default).

Articles & Coverage 2

News 3 New WordPress Vulnerabilities - 3 High Severity Jun 14, 2026 News 3 New WordPress Vulnerabilities - 3 High Severity Jun 13, 2026

AnalysisAI

Stored cross-site scripting in the Bookly Online Scheduling and Appointment Booking System plugin for WordPress (versions through 27.2) allows remote unauthenticated attackers to inject arbitrary JavaScript via the 'bookly-customer-full-name' cookie, which is rendered without proper sanitization or output escaping. Exploitation is gated by the non-default 'Remember personal information in cookies' setting being enabled, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Bookly site with cookie-remember enabled
Delivery
Craft malicious 'bookly-customer-full-name' cookie value
Exploit
Plant cookie in victim browser context
Execution
Victim visits booking page rendering the cookie
Persist
JavaScript executes in site origin
Impact
Hijack admin session or exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Target WordPress site must have the Bookly plugin installed at version ≤ 27.2 AND the Bookly-specific setting 'Remember personal information in cookies' must be explicitly enabled by the site operator - this setting is disabled by default, so out-of-the-box installations are NOT exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, score 7.2) reflects a network-reachable, unauthenticated, low-complexity issue with a scope change - consistent with XSS executing in the victim's browser origin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a WordPress site running Bookly ≤ 27.2 with 'Remember personal information in cookies' enabled, an attacker sets a malicious 'bookly-customer-full-name' cookie in their browser (or coerces a victim to set one via a separate vector), then triggers a booking-page render that echoes the cookie value unescaped, executing attacker JavaScript in the visitor's session. The payload can hijack admin sessions if a logged-in WordPress administrator subsequently views the booking page, leading to plugin/theme installation and full site takeover. …
Remediation Upstream fix available (commit/changeset 3504922 in plugins.trac.wordpress.org); released patched version not independently confirmed beyond 'fixed after 27.2', so administrators should update the Bookly plugin to the latest version published on WordPress.org once available and verify the installed version is greater than 27.2. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Verify whether 'Remember personal information in cookies' is enabled in Bookly settings; disable if active. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5513 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy