Platform
wordpress
Component
bookly-responsive-appointment-booking-tool
Opgelost in
27.0.1
CVE-2026-2519 concerns the just4testlm package, specifically versions up to 0.9.3. This package contains a malicious payload embedded within its setup.py file, designed to execute remote scripts or steal environment variables during installation. Malicious versions are quickly removed and replaced with benign code, indicating a targeted and evolving threat.
CVE-2026-2519 in the Bookly WordPress plugin allows unauthenticated attackers to manipulate prices via the 'tips' parameter. By submitting a negative number, attackers can reduce the total price to zero. This poses a significant risk to businesses using Bookly, potentially leading to financial losses due to forced free appointments. The lack of server-side validation on user-supplied input allows this manipulation. The impact is amplified if the website lacks other robust security measures to protect financial transactions. This vulnerability affects all versions of Bookly up to and including 27.0, making timely updates crucial.
An unauthenticated attacker can exploit this vulnerability by sending a malicious HTTP request to the Bookly payment page. This request will include a 'tips' parameter with a negative value. Due to the lack of validation, the plugin will misinterpret this value, resulting in a total price of zero. The attacker could automate this process using tools like cURL or custom scripts to perform multiple requests and maximize the impact. The ease of exploitation, combined with Bookly's widespread adoption, makes this a significant risk for WordPress websites.
Exploit Status
EPSS
0.04% (13% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-2519 is to update the Bookly plugin to version 27.1 or higher. This update includes the necessary server-side validation for the 'tips' parameter, preventing price manipulation. In the interim, carefully review all appointment transactions for suspicious patterns. Consider implementing price monitoring to detect anomalies. Temporarily disabling the tipping feature is also an option. Regular website backups are essential before applying any plugin updates to prevent data loss.
Update to version 27.1, or a newer patched version
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Bookly is a popular WordPress plugin for online scheduling and appointment booking.
If you are using a version of Bookly prior to 27.1, your website is vulnerable to this vulnerability.
While you can't update, carefully review all appointment transactions and consider temporarily disabling the tipping feature.
No, an attacker does not need access to the website to exploit this vulnerability.
You can download the update to version 27.1 or higher from the WordPress plugin repository or the official Bookly website.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.