Plattform
wordpress
Komponente
bookly-responsive-appointment-booking-tool
Behoben in
26.7.1
CVE-2026-32540 describes a Reflected Cross-Site Scripting (XSS) vulnerability present in the Bookly Responsive Appointment Booking Tool for WordPress. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability impacts versions of Bookly prior to 26.8, and a patch has been released to address the issue.
The primary impact of this Reflected XSS vulnerability lies in the ability of an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can be exploited to steal sensitive information such as cookies, session tokens, or even user credentials. An attacker could also redirect users to malicious websites, deface the website, or perform actions on behalf of the user without their knowledge. The scope of the attack is limited to users who interact with the vulnerable page containing the injected script, but the potential for widespread impact exists within a WordPress site utilizing Bookly.
CVE-2026-32540 was publicly disclosed on 2026-03-25. While no active exploitation campaigns have been confirmed, the ease of exploitation associated with Reflected XSS vulnerabilities means it is likely to be targeted. No Proof of Concept (PoC) code has been publicly released at the time of writing, but the vulnerability is relatively straightforward to exploit, increasing the risk of opportunistic attacks. It is not currently listed on the CISA KEV catalog.
Websites using the Bookly plugin for appointment scheduling, particularly those with user authentication or handling sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "<script>" /var/www/html/wp-content/plugins/bookly-responsive-appointment-booking-tool/*• generic web:
curl -I https://your-website.com/bookly/?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list | grep booklydisclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2026-32540 is to immediately upgrade Bookly to version 26.8 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on any user-supplied data displayed on the website. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide a temporary layer of protection. Regularly scan the WordPress site for vulnerabilities using security plugins.
Aktualisieren Sie auf Version 26.8 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32540 is a Reflected XSS vulnerability in Bookly versions up to 26.7, allowing attackers to inject malicious scripts via crafted URLs.
If you are using Bookly version 26.7 or earlier, you are affected by this vulnerability. Upgrade to version 26.8 or later to mitigate the risk.
The recommended fix is to upgrade Bookly to version 26.8 or later. Consider input validation and WAF rules as interim measures.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to become a target for attackers.
Refer to the Bookly plugin website and WordPress.org plugin repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.