The Bookly WordPress plugin contains a stored cross‑site scripting flaw in the way it handles data stored in the 'bookly-customer-full-name' cookie. Because the cookie value is not sanitized or escaped before being rendered, an attacker can place arbitrary JavaScript into that cookie. When a victim visits any page that reads the cookie, the script runs with the victim’s browser context, potentially leading to credential theft, session hijacking, or defacement. The weakness is a classic input validation error (CWE‑79).

WordPress sites running the Bookly scheduling plugin version 27.2 or earlier are vulnerable. The vulnerability is present in all releases up to 27.2 regardless of other plugins. Sites using newer versions (27.3 and later) are unaffected.

The CVSS score of 7.2 indicates medium‑high severity. Because the flaw requires the "Remember personal information in cookies" setting to be enabled (which is disabled by default), the real‑world exploitability may be limited to installations where this setting is knowingly turned on. EPSS data is not available, so it is unclear how frequently attackers have observed or attempted this exploit. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed public exploitation reported at this time. Nonetheless, authors of affected sites can execute arbitrary code in the browser of anyone viewing an injected page, making the risk significant for publicly accessible systems that process user data and rely on the cookie for personal information.