Critical XSS Vulnerability Found in WordPress Bookly Plugin

High-Severity XSS Vulnerability Discovered in WordPress Bookly Plugin

Estimated Reading Time: 4 minutes

Key Takeaways

• High-severity vulnerability: CVE-2026-5513 affects Bookly versions up to 27.2.
• Unauthenticated exploitation: Attackers can execute stored XSS attacks without needing credentials.
• Immediate risk mitigation: Disable the “Remember personal information in cookies” setting.
• Urgent updates: Update to the latest version once available to secure your site.
• Widespread impact: This vulnerability puts a range of businesses at risk, particularly in sectors reliant on appointment systems.

Context / Background

CVE-2026-5513 is categorized as a high-severity vulnerability that may lead to severe consequences for affected WordPress sites. Specifically, it exploits insufficient input sanitization and output escaping of data derived from the bookly-customer-full-name cookie. Attackers can inject persistent malicious JavaScript, which is executed in the browsers of users visiting the compromised pages.

Key Details

The vulnerability is notable for several reasons:

• Affected Product: The vulnerability resides in the Bookly WordPress plugin versions up to 27.2.
• Vulnerability Type: Classified as an unauthenticated stored XSS flaw (CWE-79).
• Attack Vector: Occurs when the Bookly plugin’s configuration “Remember personal information in cookies” is enabled.
• Conditions for Exploitation: The affected site must be running a vulnerable version of Bookly with the aforementioned setting enabled.

Impact

The implications of CVE-2026-5513 are significant, particularly considering the nature of the data handled through Bookly:

• Risk to Businesses: Exposure of customer data can severely impact operations and user trust.
• Unauthenticated Exploitation: Allows attackers to operate without needing credentials.
• Administrative Access: Attackers could hijack accounts and compromise site functionality if accessed by admin users.

What’s Next

Site administrators using the Bookly plugin are advised to take immediate action:

1. Update Bookly: Users should update to the latest patched version of the plugin as soon as it becomes available.
2. Review Settings: Temporarily disable the “Remember personal information in cookies” setting.
3. Monitor Site Activity: Stay vigilant for unauthorized access or changes within WordPress environments.

FAQ Section

What is CVE-2026-5513?

CVE-2026-5513 is a high-severity XSS vulnerability affecting the Bookly WordPress plugin, allowing unauthenticated attackers to execute malicious scripts.

How can I protect my site from this vulnerability?

Update to the latest version of the Bookly plugin and disable the “Remember personal information in cookies” feature to mitigate risk.

What types of attacks can occur due to this vulnerability?

Attackers can hijack accounts, steal sensitive data, and compromise site functionality.