Platform
wordpress
Component
bookly-responsive-appointment-booking-tool
Opgelost in
26.7.1
CVE-2026-32540 describes a Reflected Cross-Site Scripting (XSS) vulnerability present in the Bookly Responsive Appointment Booking Tool for WordPress. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability impacts versions of Bookly from n/a up to and including 26.7, and a patch is available in version 26.8.
An attacker could exploit this Reflected XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes within their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or deface the website. The impact is particularly severe if the website handles sensitive user data, such as appointment details or payment information. Successful exploitation could compromise user accounts and damage the website's reputation. This type of XSS is often used to gain initial access to a system or to escalate privileges.
CVE-2026-32540 was publicly disclosed on 2026-03-25. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation for Reflected XSS vulnerabilities means it is likely to become a target for automated scanners and opportunistic attackers. The EPSS score is likely to be medium, reflecting the relatively straightforward nature of exploiting this type of vulnerability.
Websites using the Bookly plugin for appointment scheduling, particularly those with user authentication or handling sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "<script>" /var/www/html/wp-content/plugins/bookly-responsive-appointment-booking-tool/*• generic web:
curl -I https://your-website.com/bookly/?param=<script>alert(1)</script>• wordpress / composer / npm:
wp plugin list | grep booklydisclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CVSS-vector
The primary mitigation for CVE-2026-32540 is to upgrade Bookly to version 26.8 or later, which contains the fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on user-supplied data within the Bookly plugin. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your WordPress installation for vulnerabilities using security plugins and tools.
Update naar versie 26.8, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-32540 is a Reflected XSS vulnerability in Bookly versions up to 26.7, allowing attackers to inject malicious scripts via crafted URLs.
If you are using Bookly version 26.7 or earlier, you are affected by this vulnerability. Upgrade to version 26.8 or later to mitigate the risk.
The recommended fix is to upgrade Bookly to version 26.8 or later. Consider input validation and WAF rules as interim measures.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to become a target for attackers.
Refer to the Bookly plugin website and WordPress.org plugin repository for the latest security advisories and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.