HIGHCVE-2026-32540CVSS 7.1

WordPress Bookly 插件 <= 26.7 - 反射型跨站脚本 (XSS) 漏洞

Q: What is CVE-2026-32540 — Reflected XSS in Bookly Appointment Booking?

CVE-2026-32540 is a Reflected XSS vulnerability in Bookly versions up to 26.7, allowing attackers to inject malicious scripts via crafted URLs.

Q: Am I affected by CVE-2026-32540 in Bookly Appointment Booking?

If you are using Bookly version 26.7 or earlier, you are affected by this vulnerability. Upgrade to version 26.8 or later to mitigate the risk.

Q: How do I fix CVE-2026-32540 in Bookly Appointment Booking?

The recommended fix is to upgrade Bookly to version 26.8 or later. Consider input validation and WAF rules as interim measures.

Q: Is CVE-2026-32540 being actively exploited?

While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to become a target for attackers.

Q: Where can I find the official Bookly advisory for CVE-2026-32540?

Refer to the Bookly plugin website and WordPress.org plugin repository for the latest security advisories and updates.

平台

wordpress

组件

bookly-responsive-appointment-booking-tool

修复版本

26.7.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-32540 describes a Reflected Cross-Site Scripting (XSS) vulnerability present in the Bookly Responsive Appointment Booking Tool for WordPress. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability impacts versions of Bookly from n/a up to and including 26.7, and a patch is available in version 26.8.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

An attacker could exploit this Reflected XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes within their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or deface the website. The impact is particularly severe if the website handles sensitive user data, such as appointment details or payment information. Successful exploitation could compromise user accounts and damage the website's reputation. This type of XSS is often used to gain initial access to a system or to escalate privileges.

利用背景翻译中…

CVE-2026-32540 was publicly disclosed on 2026-03-25. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation for Reflected XSS vulnerabilities means it is likely to become a target for automated scanners and opportunistic attackers. The EPSS score is likely to be medium, reflecting the relatively straightforward nature of exploiting this type of vulnerability.

哪些人处于风险中翻译中…

Websites using the Bookly plugin for appointment scheduling, particularly those with user authentication or handling sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one website could potentially lead to the compromise of others.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r "<script>" /var/www/html/wp-content/plugins/bookly-responsive-appointment-booking-tool/*

• generic web:

curl -I https://your-website.com/bookly/?param=<script>alert(1)</script>

• wordpress / composer / npm:

wp plugin list | grep bookly

攻击时间线

2026-03-25Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

报告1 份威胁报告

EPSS

0.04% (11% 百分位)

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 低 — 可访问部分数据。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 低 — 部分或间歇性拒绝服务。

受影响的软件

组件bookly-responsive-appointment-booking-tool

供应商wordfence

影响范围修复版本

n/a – <= 26.726.7.1

软件包信息

活跃安装数: 70K已知
插件评分: 4.4
需要WordPress版本: 3.7+
兼容至: 6.9.4
需要PHP版本: 5.3.7+

主页

弱点分类 (CWE)

CWE-79

时间线

已保留2026-03-12
发布日期2026-03-25
修改日期2026-04-29
EPSS 更新日期2026-04-02

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-32540 is to upgrade Bookly to version 26.8 or later, which contains the fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on user-supplied data within the Bookly plugin. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your WordPress installation for vulnerabilities using security plugins and tools.

修复方法

更新到版本 26.8，或更新的修复版本

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-32540 — Reflected XSS in Bookly Appointment Booking?

CVE-2026-32540 is a Reflected XSS vulnerability in Bookly versions up to 26.7, allowing attackers to inject malicious scripts via crafted URLs.

Am I affected by CVE-2026-32540 in Bookly Appointment Booking?

If you are using Bookly version 26.7 or earlier, you are affected by this vulnerability. Upgrade to version 26.8 or later to mitigate the risk.

How do I fix CVE-2026-32540 in Bookly Appointment Booking?

The recommended fix is to upgrade Bookly to version 26.8 or later. Consider input validation and WAF rules as interim measures.

Is CVE-2026-32540 being actively exploited?

While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to become a target for attackers.

Where can I find the official Bookly advisory for CVE-2026-32540?

Refer to the Bookly plugin website and WordPress.org plugin repository for the latest security advisories and updates.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE