Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookly Bookly bookly-responsive-appointment-booking-tool allows Reflected XSS.This issue affects Bookly: from n/a through <= 26.7.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

Bookly, a WordPress appointment‑booking plugin, contains a reflected Cross‑Site Scripting vulnerability that allows attackers to inject arbitrary JavaScript into a page when the attacker crafts a specially composed URL. A victim who clicks the malicious link will execute the script in their browser, potentially compromising session cookies, defacing content, or conducting further attacks against the user. The flaw represents improper input validation, a classic client‑side weakness.

Affected Systems

WordPress sites using the Bookly plugin version 26.7 or earlier are affected. The vulnerability applies to all editions of the plugin released up to that version, regardless of other installed plugins or themes.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity, with the attack likely occurring via a remote web request that a victim follows. The exploit does not require authentication or special user privileges, making it easier to target a broad user base. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but its client‑side nature still poses significant risk in user‑facing WordPress sites. An attacker can activate it simply by embedding a malicious link in email or social media.

Generated by OpenCVE AI on March 25, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bookly to the newest released version (26.8 or later) to remove the vulnerable code.
  • Verify the update by ensuring the affected URL parameters no longer reflect the injected payload.
  • If an upgrade is delayed, implement a temporary filter or WAF rule to strip or encode script tags from Bookly input fields.
  • Apply a strict Content‑Security‑Policy (e.g., script-src 'self') to limit the execution of user‑supplied scripts.
  • Monitor site traffic for unexpected loads of external scripts or anomaly patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on March 25, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Bookly
Bookly bookly
Wordpress
Wordpress wordpress
Vendors & Products Bookly
Bookly bookly
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookly Bookly bookly-responsive-appointment-booking-tool allows Reflected XSS.This issue affects Bookly: from n/a through <= 26.7.
Title WordPress Bookly plugin <= 26.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Bookly Bookly
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:13:17.398Z

Reserved: 2026-03-12T11:12:34.192Z

Link: CVE-2026-32540

cve-icon Vulnrichment

Updated: 2026-03-25T20:02:32.141Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:07.837

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:13Z

Weaknesses