How is CVE-2026-5513 exploited?

Network reachability (required): The attacker sends a crafted HTTP request containing the malicious cookie value over the network to the target WordPress site. Authentication (not-required): No account or credentials of any kind are needed; the injection point is accessible to anonymous visitors. Victim interaction (not-required): No user interaction is needed to plant the payload; however, the payload executes in the browser of any user who subsequently loads an injected page. Attack complexity (info): The exploit is reliable and condition-free once the 'Remember personal information in cookies' setting is enabled on the target site; no race conditions or special memory layout is required.

What is the impact of CVE-2026-5513?

Injected scripts run in the browsers of authenticated WordPress users (including admins) who visit affected pages, allowing the attacker to steal session cookies and hijack those accounts. The attacker can exfiltrate form data, saved credentials, or any content rendered on the affected page to an external server. Injected JavaScript can perform actions in the victim's browser on their behalf, such as creating new admin accounts or modifying site settings. Site integrity can be undermined by persistent script injection that redirects visitors, serves malicious downloads, or defaces page content.

Back to search

HIGHCVE-2026-5513Published 2026-06-13Modified 2026-06-13CNA Wordfence

CVE-2026-5513: Online Scheduling and Appointment Booking System – Bookly <= 27.2 - Unauthenticated Stored Cross-Site Scripting via 'bookly-customer-full-name' Cookie

Q: What is CVE-2026-5513?

Stored cross-site scripting (XSS) in the Bookly WordPress plugin (versions up to and including 27.2) allows an unauthenticated attacker to inject malicious JavaScript through the 'bookly-customer-full-name' cookie. The attack is reachable over the network with no authentication or victim interaction required, though it only succeeds when the 'Remember personal information in cookies' setting is enabled on the target site (disabled by default). Successful exploitation lets the injected script execute in the browsers of users who visit affected pages, enabling session theft, credential harvesting, or unauthorized actions on behalf of those users. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-5513 patched?

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, the finding remains open and visible in each customer's vulnerability dashboard so teams can apply compensating controls.

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires 'Remember personal information in cookies' setting to be enabled (disabled by default).

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in the Bookly WordPress plugin (versions up to and including 27.2) allows an unauthenticated attacker to inject malicious JavaScript through the 'bookly-customer-full-name' cookie. The attack is reachable over the network with no authentication or victim interaction required, though it only succeeds when the 'Remember personal information in cookies' setting is enabled on the target site (disabled by default). Successful exploitation lets the injected script execute in the browsers of users who visit affected pages, enabling session theft, credential harvesting, or unauthorized actions on behalf of those users. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-5513 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Bookly plugin. Any image containing an affected version of the plugin is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.2 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, the finding remains open and visible in each customer's vulnerability dashboard so teams can apply compensating controls.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker sends a crafted HTTP request containing the malicious cookie value over the network to the target WordPress site.
AuthenticationNot required
No account or credentials of any kind are needed; the injection point is accessible to anonymous visitors.
Victim interactionNot required
No user interaction is needed to plant the payload; however, the payload executes in the browser of any user who subsequently loads an injected page.
Attack complexityDetail
The exploit is reliable and condition-free once the 'Remember personal information in cookies' setting is enabled on the target site; no race conditions or special memory layout is required.

Blast Radius

Injected scripts run in the browsers of authenticated WordPress users (including admins) who visit affected pages, allowing the attacker to steal session cookies and hijack those accounts.
The attacker can exfiltrate form data, saved credentials, or any content rendered on the affected page to an external server.
Injected JavaScript can perform actions in the victim's browser on their behalf, such as creating new admin accounts or modifying site settings.
Site integrity can be undermined by persistent script injection that redirects visitors, serves malicious downloads, or defaces page content.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published for CVE-2026-5513, HarborGuard continuously monitors the advisory and re-evaluates it on every ingest cycle. The moment ladela publishes a patched release, a rebuilt image at that version becomes available, and for customers who opt into auto-remediation, the pipeline will trigger a rebuild, run regression tests, and open a PR against affected workloads automatically. While no patch exists, recommended compensating controls include disabling the 'Remember personal information in cookies' option in Bookly's settings (it is off by default, so avoiding enabling it is the primary mitigation), applying a web application firewall rule to strip or reject the 'bookly-customer-full-name' cookie on ingress, and restricting network access to the WordPress admin interface via network policy so that even if a script executes it has limited reach. The CVE remains flagged and open in the HarborGuard dashboard for all environments running Bookly versions 27.2 or earlier.

See how HarborGuard automates this

Affected packages

ladela / Online Scheduling and Appointment Booking System – Bookly
≤ 27.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References

Metrics

Get notified