| Plugin Name | Bookly |
|---|---|
| Type of Vulnerability | Content Injection |
| CVE Number | CVE-2026-2519 |
| Urgency | Low |
| CVE Publish Date | 2026-04-09 |
| Source URL | CVE-2026-2519 |
Urgent: Bookly <= 27.0 — Unauthenticated “tips” Price Manipulation and Content Injection (CVE-2026-2519) — What WordPress Site Owners Must Do Now
By: Hong Kong Security Expert | Date: 2026-04-10
Summary: A public advisory (CVE-2026-2519) was published for the Bookly plugin: versions up to and including 27.0 are vulnerable to an unauthenticated price-manipulation and content-injection issue via the
tipsparameter. This post explains the vulnerability, who is at risk, how attackers may weaponise it, and practical mitigation steps you can implement immediately.
TL;DR — Key facts
- Bookly plugin versions <= 27.0 (CVE-2026-2519) allow unauthenticated users to manipulate price via the
tipsparameter and to inject content into pages. - Public advisory reports a CVSS-style score ≈ 5.3; classified as content-injection / injection-class risk.
- Bookly 27.1 contains the vendor patch — updating to 27.1 or later is the primary remediation.
- If you cannot update immediately, strong mitigations include WAF rules to block or sanitize
tips, rate-limiting booking endpoints, disabling the tipping UI, and enforcing strict server-side numeric validation. - Virtual patching at the edge (via your chosen WAF or security provider) can immediately reduce exposure while you test and apply the official plugin update.
Why this matters — beyond the score
Do not let a low or medium label lull you into inaction. The practical impact is twofold:
- Price manipulation: Attackers can tamper with booking totals, potentially enabling free or reduced-price bookings when server-side logic trusts client-supplied values.
- Content injection: If
tips(or other parameters) are not properly sanitized, attackers can inject HTML or script that appears in confirmations or stored content — enabling phishing, credential theft, or reputational damage.
Small and medium businesses in Hong Kong and beyond use booking widgets widely (salons, clinics, consultancies). These sites are easy to mass-scan and exploit automatically, so quick action is warranted.
What the vulnerability looks like (high level)
The advisory indicates Bookly accepts and processes an unauthenticated tips parameter that:
- Is accepted into the booking flow without authoritative server-side validation.
- Can change the effective booking total (e.g., reduce or zero out the payable amount) if totals are computed or trusted client-side.
- May be insufficiently sanitized, permitting reflected or stored HTML/script injection into pages or emails.
Typical root causes include client-side-only arithmetic, storing inputs without normalization, and public AJAX endpoints that return or write HTML fragments.
Who is at risk?
- Sites running Bookly <= 27.0.
- Sites exposing public (unauthenticated) booking flows — the common Bookly deployment.
- Sites that do not recalculate totals server-side or lack HTTP-layer defenses (WAF, rate limiting).
- Sites that have not applied the 27.1 patch.
If Bookly <= 27.0 is active on any of your sites, treat this as urgent. Automated scanners will attempt exploitation at scale.
Immediate action checklist (for site owners)
- Check your Bookly version:
- WordPress admin → Plugins: confirm installed Bookly version.
- If it’s <= 27.0, proceed immediately to update or apply mitigations below.
- Update Bookly to 27.1 or later:
- If possible, update now. Test on staging if your workflow requires it.
- If you cannot update immediately:
- Deploy WAF or edge rules to block or sanitize the
tipsparameter (block HTML, non-numeric values). - Disable or hide the tipping UI temporarily.
- Enforce server-side numeric validation and authoritative recalculation of totals.
- Monitor logs for suspicious requests to booking endpoints that include
tips.
- Deploy WAF or edge rules to block or sanitize the
- Run a site integrity check:
