CVE-2026-42667: WordPress Bookly plugin <= 27.4 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated sensitive data exposure vulnerability affects the Bookly WordPress plugin at version 27.4 and below. The flaw is reachable over the network and requires no credentials, meaning any internet-connected attacker can trigger it without any prior access to the system. Successful exploitation allows an attacker to read sensitive data stored or processed by the plugin. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-42667 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds including Patchstack. Matching covers both images pulled from public registries and custom-built images that bundle the Bookly plugin.
AvailableTriage is available with CVSS v3.1 scoring applied at a severity of HIGH (7.5), surfacing the issue for prompt review within each customer's queue. Per-environment compliance policy weighting and routing rules can direct the finding to the appropriate team or inbox inside each customer organization.
AvailableNo fix version has been published by the upstream maintainer as of CVE publication. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress installation over the network; there is no requirement for local or physical access.
- AuthenticationNot required
No account or credentials of any kind are needed; the vulnerable endpoint is accessible to any unauthenticated request.
- Victim interactionNot required
The attack is fully server-side and does not require a logged-in user or site visitor to take any action.
- Attack complexityDetail
Exploit complexity is low, meaning the attack is reliable and requires no special conditions, race conditions, or environmental factors to succeed.
Blast Radius
- A successful attacker reads sensitive data held by the Bookly plugin, which typically includes customer booking records, names, contact details, and appointment metadata.
- No write or delete capability is indicated by the CVSS vector, so data integrity and availability are not directly affected by this vulnerability alone.
- Exposed booking data can be used for targeted phishing, credential stuffing against customer accounts, or sold as part of a data breach.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE fires within minutes of advisory ingestion for any image found to include the Bookly plugin at an affected version (27.4 or below), covering both registry-pulled and internally built images. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once the maintainer ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention. In the meantime, compensating controls worth considering include network-policy rules that restrict unauthenticated external access to WordPress REST or AJAX endpoints, web application firewall rules targeting the exposed route, and disabling the Bookly plugin on public-facing environments until a patch is available.
- Bookly / Bookly≤ 27.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N