Scan free
MEDIUMCVE-2026-2519CVSS 5.3

CVE-2026-2519: Malicious just4testlm Package ≤0.9.3

Platform

wordpress

Component

bookly-responsive-appointment-booking-tool

Fixed in

27.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: Apr 2026
View on NVD
Save

CVE-2026-2519 concerns the just4testlm package, specifically versions up to 0.9.3. This package contains a malicious payload embedded within its setup.py file, designed to execute remote scripts or steal environment variables during installation. Malicious versions are quickly removed and replaced with benign code, indicating a targeted and evolving threat.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

CVE-2026-2519 in the Bookly WordPress plugin allows unauthenticated attackers to manipulate prices via the 'tips' parameter. By submitting a negative number, attackers can reduce the total price to zero. This poses a significant risk to businesses using Bookly, potentially leading to financial losses due to forced free appointments. The lack of server-side validation on user-supplied input allows this manipulation. The impact is amplified if the website lacks other robust security measures to protect financial transactions. This vulnerability affects all versions of Bookly up to and including 27.0, making timely updates crucial.

Exploitation Context

An unauthenticated attacker can exploit this vulnerability by sending a malicious HTTP request to the Bookly payment page. This request will include a 'tips' parameter with a negative value. Due to the lack of validation, the plugin will misinterpret this value, resulting in a total price of zero. The attacker could automate this process using tools like cURL or custom scripts to perform multiple requests and maximize the impact. The ease of exploitation, combined with Bookly's widespread adoption, makes this a significant risk for WordPress websites.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.04% (13% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N5.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentbookly-responsive-appointment-booking-tool
Vendorwordfence
Affected rangeFixed in
0.0.0 – 27.027.0.1

Package Information

Active installs
70KKnown
Plugin rating
4.4
Requires WordPress
3.7+
Compatible up to
6.9.4
Requires PHP
5.3.7+
Homepage

Weakness Classification (CWE)

CWE-472

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-2519 is to update the Bookly plugin to version 27.1 or higher. This update includes the necessary server-side validation for the 'tips' parameter, preventing price manipulation. In the interim, carefully review all appointment transactions for suspicious patterns. Consider implementing price monitoring to detect anomalies. Temporarily disabling the tipping feature is also an option. Regular website backups are essential before applying any plugin updates to prevent data loss.

How to fix

Update to version 27.1, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-2519 in Online Scheduling and Appointment Booking System – Bookly?

Bookly is a popular WordPress plugin for online scheduling and appointment booking.

Am I affected by CVE-2026-2519 in Online Scheduling and Appointment Booking System – Bookly?

If you are using a version of Bookly prior to 27.1, your website is vulnerable to this vulnerability.

How do I fix CVE-2026-2519 in Online Scheduling and Appointment Booking System – Bookly?

While you can't update, carefully review all appointment transactions and consider temporarily disabling the tipping feature.

Is CVE-2026-2519 being actively exploited?

No, an attacker does not need access to the website to exploit this vulnerability.

Where can I find the official Online Scheduling and Appointment Booking System – Bookly advisory for CVE-2026-2519?

You can download the update to version 27.1 or higher from the WordPress plugin repository or the official Bookly website.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs