- wordpress
- bookly
- xss
- cve
- plugin
news
Bookly WordPress Stored XSS via Cookie (CVE-2026-5513)
Unauthenticated stored XSS in Bookly ≤27.2 via bookly-customer-full-name cookie; scanner PoC indexed on Sploitus.
Summary
CVE-2026-5513 is a stored cross-site scripting (XSS) vulnerability in the Bookly WordPress appointment-booking plugin (versions ≤ 27.2). When the "Remember personal information in cookies" setting is enabled, the plugin reads the bookly-customer-full-name cookie and renders it into booking form HTML without sanitization or escaping. An unauthenticated attacker can inject JavaScript that executes in any visitor's browser — including administrators — when they load a page containing the Bookly form. A scanner/injection PoC is indexed on Sploitus.
OFFSITE.DARK references Sploitus as the aggregation source only.
Technical Details
| Field | Value |
|---|---|
| Plugin | Bookly |
| Affected | ≤ 27.2 |
| Patched | 27.3+ |
| Cookie | bookly-customer-full-name |
| Prerequisite | "Remember personal information in cookies" enabled (off by default) |
| Auth | None required to set cookie |
Vulnerable pattern (simplified from indexed PoC):
// Bookly ≤ 27.2 — no sanitization
$full_name = $_COOKIE['bookly-customer-full-name'];
echo $full_name; // reflected without escaping
Patched in 27.3+ with sanitize_text_field() and esc_html().
Indexed PoC capabilities: auto IP/domain probing, Bookly version detection via readme.txt, cookie-setting verification via BooklyL10n JS analysis, multi-context XSS tests (HTML/JS/attribute), single-target and mass scan modes, proxy support.
Example usage from indexed tool:
python CVE-2026-5513.py -u https://target.com --inject -v
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-5513 |
| CVSS 3.1 | 7.2 (High) — AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
| CWE | CWE-79 — Improper Neutralization of Input During Web Page Generation |
| Sploitus date | 2026-06-14 |
Impact
Stored XSS in a widely deployed booking plugin enables:
- Session hijacking of WordPress administrators viewing booking pages
- Plugin/theme editor abuse leading to site takeover
- Credential phishing overlays injected into legitimate booking flows
- Defacement and SEO spam via compromised admin sessions
Scope S:C reflects impact across users who visit affected booking forms, not just the attacker.
Mitigation
- Update Bookly to 27.3+ immediately.
- Disable "Remember personal information in cookies" in Bookly Settings → General if upgrade is delayed.
- Deploy WAF rules filtering XSS patterns in cookie values.
- Implement Content-Security-Policy headers on WordPress frontends.
- Hunt with dorks for exposed Bookly instances (
body="bookly-responsive-appointment-booking-tool") and verify patch level.
Sources
- Sploitus — CVE-2026-5513 Bookly XSS PoC (index source)
- NVD — CVE-2026-5513