Home

Description

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero.

PUBLISHED Reserved 2026-02-15 | Published 2026-04-09 | Updated 2026-04-13 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-472 External Control of Assumed-Immutable Web Parameter

Product status

Default status
unaffected

Any version
affected

Timeline

2026-03-31:Vendor Notified
2026-04-08:Disclosed

Credits

Youssef Elouaer finder

References

www.wordfence.com/...-2659-4e8b-a0b9-138b1db89e36?source=cve

plugins.trac.wordpress.org/.../trunk/lib/UserBookingData.php

plugins.trac.wordpress.org/...ntend/modules/booking/Ajax.php

plugins.trac.wordpress.org/...ng-tool/trunk/lib/CartInfo.php

plugins.trac.wordpress.org/changeset/3480956/

www.booking-wp-plugin.com/change-log/

cve.org (CVE-2026-2519)

nvd.nist.gov (CVE-2026-2519)

Download JSON