CVE-2026-5513

HIGH

Online Scheduling and Appointment Booking System – Bookly <= 27.2 - Unauthenticated Stored Cross-Site Scripting via 'bookly-customer-full-name' Cookie

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-5513. PoCs published by 87achrafg-stack, Xaanziu.

AI-analyzed exploit summary The repository claims to provide an exploit for CVE-2026-5513 (Bookly Stored XSS) but lacks actual exploit code, instead pushing external downloads via Telegram links and listing generic features without technical depth.

Description

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires 'Remember personal information in cookies' setting to be enabled (disabled by default).

Exploits (2)

github SUSPICIOUS

by 87achrafg-stack · poc

https://github.com/87achrafg-stack/CVE-2026-5513

View Code ZIP pw:eip

The repository claims to provide an exploit for CVE-2026-5513 (Bookly Stored XSS) but lacks actual exploit code, instead pushing external downloads via Telegram links and listing generic features without technical depth.

Classification

Suspicious 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Theoretical

Target: Bookly — Online Scheduling and Appointment Booking System ≤ 27.2

No auth needed

Prerequisites: Remember personal information in cookies must be enabled

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Jun 15, 2026 Full analysis →

github WORKING POC

by Xaanziu · pythonpoc

https://github.com/Xaanziu/CVE-2026-5513

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-5513, a stored XSS vulnerability in the Bookly WordPress plugin (versions ≤ 27.2). The exploit automates detection, cookie injection, and payload delivery via the 'bookly-customer-full-name' cookie, with support for multi-threaded scanning and proxy usage.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Bookly WordPress Plugin ≤ 27.2

No auth needed

Prerequisites: Bookly plugin installed · Remember personal information in cookies setting enabled

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Jun 14, 2026 Full analysis →

References (2)

Core 2

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/b8ab6dfa-3764-470f-aa49-1964f42d93de?source=cve

https://plugins.trac.wordpress.org/changeset/3504922/bookly-responsive-appointment-booking-tool

Scores

CVSS v3 7.2

EPSS 0.0026

EPSS Percentile 16.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

ladela/Online Scheduling and Appointment Booking System – Bookly < 27.2

Published Jun 13, 2026

Tracked Since Jun 13, 2026