Platform
wordpress
Component
bookly-responsive-appointment-booking-tool
Fixed in
26.7.1
CVE-2026-32540 describes a Reflected Cross-Site Scripting (XSS) vulnerability present in the Bookly Responsive Appointment Booking Tool for WordPress. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability impacts versions of Bookly from n/a up to and including 26.7, and a patch is available in version 26.8.
An attacker could exploit this Reflected XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes within their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or deface the website. The impact is particularly severe if the website handles sensitive user data, such as appointment details or payment information. Successful exploitation could compromise user accounts and damage the website's reputation. This type of XSS is often used to gain initial access to a system or to escalate privileges.
CVE-2026-32540 was publicly disclosed on 2026-03-25. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation for Reflected XSS vulnerabilities means it is likely to become a target for automated scanners and opportunistic attackers. The EPSS score is likely to be medium, reflecting the relatively straightforward nature of exploiting this type of vulnerability.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation for CVE-2026-32540 is to upgrade Bookly to version 26.8 or later, which contains the fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on user-supplied data within the Bookly plugin. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your WordPress installation for vulnerabilities using security plugins and tools.
Update to version 26.8, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32540 is a Reflected XSS vulnerability in Bookly versions up to 26.7, allowing attackers to inject malicious scripts via crafted URLs.
If you are using Bookly version 26.7 or earlier, you are affected by this vulnerability. Upgrade to version 26.8 or later to mitigate the risk.
The recommended fix is to upgrade Bookly to version 26.8 or later. Consider input validation and WAF rules as interim measures.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to become a target for attackers.
Refer to the Bookly plugin website and WordPress.org plugin repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.