Skip to main content

Bookly EUVDEUVD-2026-36832

| CVE-2026-42667 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-15 Patchstack GHSA-cg3x-gr84-9cpm
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress plugin endpoint leaking sensitive data with no user interaction; confidentiality-only impact, no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:57 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions.

AnalysisAI

Sensitive data exposure in the Bookly WordPress appointment booking plugin (versions 27.4 and earlier) allows remote unauthenticated attackers to retrieve information that should remain protected, per a Patchstack advisory. With CVSS 7.5 reflecting high confidentiality impact and no required privileges or user interaction, the flaw is reachable over the network against any site running an affected Bookly version, though no public exploit identified at time of analysis.

Technical ContextAI

Bookly is a widely deployed WordPress plugin (cpe:2.3:a:bookly:bookly) that provides appointment scheduling, customer management, and booking workflows for service businesses, typically exposing AJAX and REST endpoints to handle booking flows. The issue maps to CWE-201 (Insertion of Sensitive Information into Sent Data), meaning the plugin returns data in responses that should have been filtered, scoped, or access-controlled before transmission. In practice this class of bug in WordPress plugins typically manifests as an endpoint that returns customer PII, booking details, staff data, or configuration values without verifying the requester's authentication or capability.

RemediationAI

Patch available per vendor advisory: upgrade Bookly to a version newer than 27.4 as described in the Patchstack entry (https://patchstack.com/database/wordpress/plugin/bookly-responsive-appointment-booking-tool/vulnerability/wordpress-bookly-plugin-27-4-sensitive-data-exposure-vulnerability); the exact fixed release should be confirmed from the WordPress.org plugin changelog before deployment. Until the upgrade is rolled out, compensating controls include restricting access to the Bookly AJAX/REST endpoints (for example, blocking unauthenticated requests to /wp-admin/admin-ajax.php actions starting with 'bookly_' and to the plugin's REST namespace at the WAF or reverse proxy), which can break public booking flows for unauthenticated visitors and should be tested on staging first. Operators using Patchstack or Wordfence virtual patching should enable the corresponding rule for this CVE, and audit recent access logs for suspicious enumeration of Bookly endpoints to detect prior data scraping.

Share

EUVD-2026-36832 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy