CVE-2026-2519

EUVD-2026-20890

09.04.2026, 13:16

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-472 - External Control of Assumed-Immutable Web Parameter
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

References

https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/frontend/modules/booking/Ajax.php#L709

https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/lib/CartInfo.php#L450

https://plugins.trac.wordpress.org/browser/bookly-responsive-appointment-booking-tool/trunk/lib/UserBookingData.php#L355

https://plugins.trac.wordpress.org/changeset/3480956/

https://www.booking-wp-plugin.com/change-log/

https://www.wordfence.com/threat-intel/vulnerabilities/id/ead87d8b-2659-4e8b-a0b9-138b1db89e36?source=cve