{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32540", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:34.192Z", "datePublished": "2026-03-25T16:15:11.278Z", "dateUpdated": "2026-04-29T09:52:01.368Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bookly-responsive-appointment-booking-tool", "product": "Bookly", "vendor": "Bookly", "versions": [{"changes": [{"at": "26.8", "status": "unaffected"}], "lessThanOrEqual": "<= 26.7", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "ickogz | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:43.361Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookly Bookly bookly-responsive-appointment-booking-tool allows Reflected XSS.<p>This issue affects Bookly: from n/a through <= 26.7.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookly Bookly bookly-responsive-appointment-booking-tool allows Reflected XSS.This issue affects Bookly: from n/a through <= 26.7."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.368Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bookly-responsive-appointment-booking-tool/vulnerability/wordpress-bookly-plugin-26-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Bookly plugin <= 26.7 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32540", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:10:40.497853Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:13:17.398Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32540", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:10:40.497853Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:02:32.141Z"}}], "cna": {"title": "WordPress Bookly plugin <= 26.7 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "ickogz | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "affected": [{"vendor": "Bookly", "product": "Bookly", "versions": [{"status": "affected", "changes": [{"at": "26.8", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 26.7"}], "packageName": "bookly-responsive-appointment-booking-tool", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:43.361Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/bookly-responsive-appointment-booking-tool/vulnerability/wordpress-bookly-plugin-26-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookly Bookly bookly-responsive-appointment-booking-tool allows Reflected XSS.This issue affects Bookly: from n/a through <= 26.7.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookly Bookly bookly-responsive-appointment-booking-tool allows Reflected XSS.<p>This issue affects Bookly: from n/a through <= 26.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:11.278Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32540", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:13:17.398Z", "dateReserved": "2026-03-12T11:12:34.192Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:11.278Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bookly Bookly bookly-responsive-appointment-booking-tool allows Reflected XSS.This issue affects Bookly: from n/a through <= 26.7."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Bookly Bookly bookly-responsive-appointment-booking-tool permite XSS Reflejado. Este problema afecta a Bookly: desde n/a hasta &lt;= 26.7."}], "id": "CVE-2026-32540", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:07.837", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/bookly-responsive-appointment-booking-tool/vulnerability/wordpress-bookly-plugin-26-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[26.8,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "bookly", "vendor": "bookly"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T23:28:42.757390+00:00", "value": {"mitigation_remediation": ["Upgrade Bookly to the newest released version (26.8 or later) to remove the vulnerable code.", "Verify the update by ensuring the affected URL parameters no longer reflect the injected payload.", "If an upgrade is delayed, implement a temporary filter or WAF rule to strip or encode script tags from Bookly input fields.", "Apply a strict Content\u2011Security\u2011Policy (e.g., script-src 'self') to limit the execution of user\u2011supplied scripts.", "Monitor site traffic for unexpected loads of external scripts or anomaly patterns that may indicate exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Bookly plugin version 26.7 or earlier are affected. The vulnerability applies to all editions of the plugin released up to that version, regardless of other installed plugins or themes.", "description_and_impact": "Bookly, a WordPress appointment\u2011booking plugin, contains a reflected Cross\u2011Site Scripting vulnerability that allows attackers to inject arbitrary JavaScript into a page when the attacker crafts a specially composed URL. A victim who clicks the malicious link will execute the script in their browser, potentially compromising session cookies, defacing content, or conducting further attacks against the user. The flaw represents improper input validation, a classic client\u2011side weakness.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a moderate to high severity, with the attack likely occurring via a remote web request that a victim follows. The exploit does not require authentication or special user privileges, making it easier to target a broad user base. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but its client\u2011side nature still poses significant risk in user\u2011facing WordPress sites. An attacker can activate it simply by embedding a malicious link in email or social media."}}}}, "created": "2026-03-25T21:47:02.453132+00:00", "updated": "2026-03-26T12:12:13.441897+00:00", "vendors": ["bookly", "bookly$PRODUCT$bookly", "wordpress", "wordpress$PRODUCT$wordpress"]}