Online Scheduling and Appointment Booking System – Bookly < 26.8 – Reflected Cross-Site Scripting | CVE 2026-32540 | Plugin Vulnerabilities

Description

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 26.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

bookly-responsive-appointment-booking-tool

Fixed in 26.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3b59bf60-eadd-4942-a310-9d9f108820f0

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

ickogz

Verified

No

WPVDB ID

c8ff6c87-8ca4-49a4-be40-fbbd3ed3dcac

Timeline

Publicly Published

2026-03-20 (about 1 month ago)

Added

2026-03-26 (about 1 month ago)

Last Updated

2026-03-26 (about 1 month ago)

Other

Published

Title

Published

2024-09-26

Title

Sky Addons for Elementor < 2.5.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-07

Title

BaiduXZH Submit(百度熊掌号) <= 1.4.6 - Reflected Cross-Site Scripting

Published

2020-02-27

Title

Async Javascript < 2.20.02.27 - Subscriber+ Stored XSS via Plugin Settings Change

Published

2014-08-01

Title

HK Exif Tags 1.11 - hk_exif_tags.php hk_exif_tags_images_process Function EXIF Tags H&ling Stored XSS

Published

2024-03-28

Title

Better Elementor Addons < 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting