We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Online Scheduling and Appointment Booking System – Bookly Plugin Vulnerability (CVE-2026-5513)

Nick Paliughi
On this page

Security Alert Summary

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress (Bookly) is affected by a stored cross-site scripting (XSS) vulnerability via the bookly-customer-full-name cookie in versions up to and including 27.2. The issue is caused by insufficient input sanitization and output escaping and can allow unauthenticated attackers to inject arbitrary scripts that execute when a user loads an affected page. Exploitation requires the “Remember personal information in cookies” setting to be enabled (disabled by default).

CVE Details

  • CVE ID: CVE-2026-5513
  • Affected component: Online Scheduling and Appointment Booking System – Bookly plugin for WordPress
  • Affected versions: Versions up to, and including, 27.2
  • Published: June 13, 2026 12:16:15 PM UTC
  • Last modified: June 13, 2026 12:16:15 PM UTC
  • CVSS v3.1: Base Score 7.2, Severity HIGH, Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Attack vector / complexity: Network / Low
  • Privileges required: None
  • User interaction: None
  • Scope: Changed
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation)

Technical Details

This vulnerability is a stored cross-site scripting issue caused by insufficient input sanitization and missing output escaping for data stored in the bookly-customer-full-name cookie. When the plugin reads and renders the value from this cookie without proper sanitization/escaping, an attacker can inject arbitrary JavaScript that will be executed in the browser context of any user who accesses the injected page.

The vulnerability requires the plugin setting “Remember personal information in cookies” to be enabled. With that setting enabled, an unauthenticated attacker can supply a specially crafted value that becomes persistent and is later rendered in pages viewed by other users. The impact is limited to what an attacker can accomplish via script execution in the victim’s browser, consistent with the CVSS impacts (confidentiality and integrity reduced to Low, availability unaffected).

How This Could Impact Your Website

On a multi-user WordPress site, an attacker could inject a script that runs in the browsers of administrators, editors, or staff when they load an affected page. Practical consequences include exposure of account-related information accessible in the page context, scraping of visible data such as internal user names or email addresses, or actions performed in the user session context that the script is permitted to execute. This increases the risk of targeted phishing or social engineering against staff and contributors.

If you reassign roles, work with external contractors, or have multiple editors contributing content, an injected script could be used to gather information that helps an attacker craft convincing phishing messages aimed at specific users. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Until an update is applied, consider disabling the “Remember personal information in cookies” setting if it is enabled and not required.
  • Review and reduce unnecessary user roles and capabilities, especially for contributors and lower-privilege accounts.
  • Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and access logs for unusual behavior, and review recent changes to pages or stored data.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Page Builder: Pagelayer Plugin Vulnerability (CVE-2026-2470)
Next Post
Canvas Plugin Vulnerability (CVE-2026-9629)