{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2519", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-15T06:39:59.038Z", "datePublished": "2026-04-09T12:28:06.471Z", "dateUpdated": "2026-04-13T15:15:09.493Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T12:28:06.471Z"}, "affected": [{"vendor": "ladela", "product": "Online Scheduling and Appointment Booking System \u2013 Bookly", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "27.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Online Scheduling and Appointment Booking System \u2013 Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero."}], "title": "Online Scheduling and Appointment Booking System \u2013 Bookly <= 27.0 - Unauthenticated Price Manipulation via 'tips'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ead87d8b-2659-4e8b-a0b9-138b1db89e36?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/lib/UserBookingData.php#L355"}, {"url": "https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/frontend/modules/booking/Ajax.php#L709"}, {"url": "https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/lib/CartInfo.php#L450"}, {"url": "https://plugins.trac.wordpress.org/changeset/3480956/"}, {"url": "https://www.booking-wp-plugin.com/change-log/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-472 External Control of Assumed-Immutable Web Parameter", "cweId": "CWE-472", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "timeline": [{"time": "2026-03-31T11:25:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2519", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:08:08.018443Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:15:09.493Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2519", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:08:08.018443Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:11:53.345Z"}}], "cna": {"title": "Online Scheduling and Appointment Booking System \u2013 Bookly <= 27.0 - Unauthenticated Price Manipulation via 'tips'", "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ladela", "product": "Online Scheduling and Appointment Booking System \u2013 Bookly", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "27.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-31T11:25:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ead87d8b-2659-4e8b-a0b9-138b1db89e36?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/lib/UserBookingData.php#L355"}, {"url": "https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/frontend/modules/booking/Ajax.php#L709"}, {"url": "https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/lib/CartInfo.php#L450"}, {"url": "https://plugins.trac.wordpress.org/changeset/3480956/"}, {"url": "https://www.booking-wp-plugin.com/change-log/"}], "descriptions": [{"lang": "en", "value": "The Online Scheduling and Appointment Booking System \u2013 Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-472", "description": "CWE-472 External Control of Assumed-Immutable Web Parameter"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T12:28:06.471Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2519", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:15:09.493Z", "dateReserved": "2026-02-15T06:39:59.038Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-09T12:28:06.471Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Online Scheduling and Appointment Booking System \u2013 Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero."}], "id": "CVE-2026-2519", "lastModified": "2026-04-24T18:02:46.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-09T13:16:42.843", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/frontend/modules/booking/Ajax.php#L709"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/lib/CartInfo.php#L450"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/lib/UserBookingData.php#L355"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3480956/"}, {"source": "security@wordfence.com", "url": "https://www.booking-wp-plugin.com/change-log/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ead87d8b-2659-4e8b-a0b9-138b1db89e36?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-472"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,27.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Online Scheduling and Appointment Booking System \u2013 Bookly", "source": "cna", "vendor": "ladela"}, "product": "online_scheduling_and_appointment_booking_system_\u2013_bookly", "vendor": "ladela"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T14:35:18.807598+00:00", "value": {"mitigation_remediation": ["Update Bookly to the latest released version that removes the unchecked 'tips' input.", "If an immediate update is not possible, add server\u2011side validation to reject negative or non\u2011positive tip values and ensure the total price cannot fall below the base cost.", "Enable monitoring of booking submissions to detect zero\u2011price appointments and consider disabling the booking feature temporarily until the validation is in place."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated price manipulation"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Bookly scheduling plugin version 27.0 or earlier are affected. The vulnerability exists in the core booking module of the plugin and is not limited to a specific WordPress theme or custom code.", "description_and_impact": "The vulnerability allows an unauthenticated attacker to supply a negative number to the 'tips' parameter in the booking process. The plugin trusts this input without server\u2011side validation, causing the calculated total price to be reduced to zero. As a result, users can book appointments without paying, directly eroding the site owner's revenue.", "risk_and_exploitability": "The severity is rated moderate with a CVSS score of 5.3. No exploit probability data is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger it via an unauthenticated HTTP request to the booking endpoint, and no authentication or advanced privileges are required. The impact is primarily financial loss rather than system compromise."}}}}, "created": "2026-04-10T08:53:40.739240+00:00", "updated": "2026-04-10T09:32:51.781047+00:00", "vendors": ["ladela", "ladela$PRODUCT$online_scheduling_and_appointment_booking_system_\u2013_bookly", "wordpress", "wordpress$PRODUCT$wordpress"]}