Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress plugin endpoint leaking sensitive data with no user interaction; confidentiality-only impact, no integrity or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions.
AnalysisAI
Sensitive data exposure in the Bookly WordPress appointment booking plugin (versions 27.4 and earlier) allows remote unauthenticated attackers to retrieve information that should remain protected, per a Patchstack advisory. With CVSS 7.5 reflecting high confidentiality impact and no required privileges or user interaction, the flaw is reachable over the network against any site running an affected Bookly version, though no public exploit identified at time of analysis.
Technical ContextAI
Bookly is a widely deployed WordPress plugin (cpe:2.3:a:bookly:bookly) that provides appointment scheduling, customer management, and booking workflows for service businesses, typically exposing AJAX and REST endpoints to handle booking flows. The issue maps to CWE-201 (Insertion of Sensitive Information into Sent Data), meaning the plugin returns data in responses that should have been filtered, scoped, or access-controlled before transmission. In practice this class of bug in WordPress plugins typically manifests as an endpoint that returns customer PII, booking details, staff data, or configuration values without verifying the requester's authentication or capability.
RemediationAI
Patch available per vendor advisory: upgrade Bookly to a version newer than 27.4 as described in the Patchstack entry (https://patchstack.com/database/wordpress/plugin/bookly-responsive-appointment-booking-tool/vulnerability/wordpress-bookly-plugin-27-4-sensitive-data-exposure-vulnerability); the exact fixed release should be confirmed from the WordPress.org plugin changelog before deployment. Until the upgrade is rolled out, compensating controls include restricting access to the Bookly AJAX/REST endpoints (for example, blocking unauthenticated requests to /wp-admin/admin-ajax.php actions starting with 'bookly_' and to the plugin's REST namespace at the WAF or reverse proxy), which can break public booking flows for unauthenticated visitors and should be tested on staging first. Operators using Patchstack or Wordfence virtual patching should enable the corresponding rule for this CVE, and audit recent access logs for suspicious enumeration of Bookly endpoints to detect prior data scraping.
The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.4 does not properly sanitise and escape a
Bookly #1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQuery.ajax request to ng-payment_details_dialog.js. R
The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name fi
The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.5 does not sanitise and escape some of its
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Bookly, a WordPress appointment booking plugin, affecting
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to,
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via service titles in versions up to, and i
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36832
GHSA-cg3x-gr84-9cpm