[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-ZYDV33uCVBpiQ29xElJOScyWoV9tcyUJtAnKL_Icj8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-5513","online-scheduling-and-appointment-booking-system-bookly-unauthenticated-stored-cross-site-scripting-via-bookly-customer-","Online Scheduling and Appointment Booking System – Bookly \u003C= 27.2 - Unauthenticated Stored Cross-Site Scripting via 'bookly-customer-full-name' Cookie","The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires 'Remember personal information in cookies' setting to be enabled (disabled by default).","bookly-responsive-appointment-booking-tool",null,"\u003C=27.2","27.3","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-12 22:03:33","2026-06-13 11:25:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb8ab6dfa-3764-470f-aa49-1964f42d93de?source=api-prod",1,[22,23,24,25,26,27,28,29],"backend\u002Fcomponents\u002Fcloud\u002Faccount\u002FAjax.php","backend\u002Fcomponents\u002Fdialogs\u002Fappointment\u002Fcustomer_details\u002Fresources\u002Fjs\u002Fcustomer-details.js","backend\u002Fcomponents\u002Fdialogs\u002Fappointment\u002Fedit\u002Fresources\u002Fjs\u002Fappointment.js","backend\u002Fcomponents\u002Fdialogs\u002Fcustomer\u002Fedit\u002Fresources\u002Fjs\u002Fcustomer.js","backend\u002Fcomponents\u002Fdialogs\u002Fmailing\u002Fadd_recipients\u002Fresources\u002Fjs\u002Fadd-recipients.js","backend\u002Fcomponents\u002Fdialogs\u002Fmailing\u002Fcampaign\u002Fresources\u002Fjs\u002Fcampaign-dialog.js","backend\u002Fcomponents\u002Fdialogs\u002Fpayment\u002Fresources\u002Fjs\u002Fpayment-details-dialog.js","backend\u002Fcomponents\u002Fdialogs\u002Fqueue\u002Fresources\u002Fjs\u002Fqueue-dialog.js","researched",false,3,"This exploitation research plan targets **CVE-2026-5513**, a Stored Cross-Site Scripting (XSS) vulnerability in the Bookly WordPress plugin. The vulnerability arises because the plugin trustfully reads the `bookly-customer-full-name` cookie and renders its value without sufficient sanitization or escaping, specifically when the \"Remember personal information in cookies\" feature is enabled.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Unauthenticated Stored Cross-Site Scripting (XSS).\n*   **Vector:** `bookly-customer-full-name` cookie.\n*   **Cause:** The plugin reads the customer's name from a cookie to pre-fill booking forms or display user info. The value is rendered into the HTML document (likely the admin dashboard or the frontend booking form) without using `esc_html()` or `esc_attr()`.\n*   **Precondition:** The setting `bookly_gen_remember_customer_info` (Label: \"Remember personal information in cookies\") must be enabled. This is disabled by default.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The WordPress frontend page containing the `[bookly-form]` shortcode, and the WordPress Admin Appointments list (`\u002Fwp-admin\u002Fadmin.php?page=bookly-appointments`).\n*   **Payload Location:** The value of the `bookly-customer-full-name` cookie.\n*   **Authentication:** Unauthenticated. The attacker sets a cookie in their own session, then performs a booking action.\n*   **Preconditions:**\n    1.  The plugin version is \u003C= 27.2.\n    2.  `bookly_gen_remember_customer_info` is set to `1`.\n\n### 3. Code Flow\n1.  **Source:** The plugin invokes a method to retrieve customer information, which calls `Bookly\\Lib\\Utils\\Cookie::get( 'bookly-customer-full-name' )`.\n2.  **Processing:** If the cookie exists and the \"Remember personal information\" setting is enabled, this value is assigned to the customer's name property in the booking session or pre-filled into form data.\n3.  **Storage:** When the booking is submitted (via `admin-ajax.php?action=bookly_render_payment_interim` or `bookly_save_appointment`), the name from the session\u002Fform (originally sourced from the cookie) is saved to the `wp_bookly_customers` table in the database.\n4.  **Sink:** An administrative user views the \"Appointments\" or \"Customers\" page in the Bookly backend. The plugin retrieves the customer name from the database and echoes it directly into the table or a modal (like those handled in `customer-details.js`) without escaping.\n\n### 4. Nonce Acquisition Strategy\nBookly protects its AJAX endpoints using nonces localized into the frontend page.\n*   **Shortcode:** `[bookly-form]`\n*   **JS Variable:** `BooklyL10n`\n*   **Nonce Key:** `ajax_nonce`\n\n**Extraction Steps:**\n1.  Navigate to a page where the `[bookly-form]` shortcode is rendered.\n2.  In the browser context, execute: `browser_eval(\"BooklyL10n.ajax_nonce\")`.\n3.  Note: If the nonce is not in `BooklyL10n`, check for `BooklyL10n.booking_nonce` or global variables defined in the localized script block.\n\n### 5. Exploitation Strategy\n1.  **Preparation:** Use WP-CLI to enable the vulnerable setting.\n2.  **Cookie Injection:** Set the `bookly-customer-full-name` cookie to an XSS payload (e.g., `\u003Cimg src=x onerror=alert(document.domain)>`).\n3.  **Persistence (The \"Store\"):** Perform a booking submission. By initiating the booking with the cookie set, the plugin will use this value for the customer's name.\n4.  **Trigger:** Access the Bookly Appointments page as an administrator.\n\n**Specific HTTP Request (Booking Submission Example):**\n*   **Tool:** `http_request`\n*   **URL:** `https:\u002F\u002Ftarget.local\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `{\"Content-Type\": \"application\u002Fx-www-form-urlencoded\", \"Cookie\": \"bookly-customer-full-name=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E\"}`\n*   **Body:**\n    ```\n    action=bookly_save_appointment&\n    full_name=\u003Cimg src=x onerror=alert(1)>&\n    email=victim@example.com&\n    phone=123456789&\n    service_id=1&\n    staff_id=1&\n    csrf_token=[NONCE]\n    ```\n    *(Note: Parameters may vary based on Bookly version; use the browser network tab to capture the exact field names used in the 'Details' step of the booking form).*\n\n### 6. Test Data Setup\n1.  **Enable Feature:** `wp option update bookly_gen_remember_customer_info 1`\n2.  **Create Service\u002FStaff:** Ensure at least one service and one staff member exist so the booking form can be completed.\n3.  **Publish Form:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Book Now\" --post_status=publish --post_content=\"[bookly-form]\"\n    ```\n\n### 7. Expected Results\n*   **Frontend:** Upon refreshing the booking page with the cookie set, the \"Full Name\" field may pre-fill with the payload. If the field is rendered as a label or in a confirmation step, the `alert(1)` will trigger immediately.\n*   **Backend:** After submitting the booking, navigating to `wp-admin\u002Fadmin.php?page=bookly-appointments` will cause the `alert(1)` to fire in the admin's browser context when the page loads the appointment table.\n\n### 8. Verification Steps\n1.  **Check Database:**\n    ```bash\n    wp db query \"SELECT full_name FROM wp_bookly_customers ORDER BY id DESC LIMIT 1;\"\n    ```\n    Confirm the output contains the raw HTML payload: `\u003Cimg src=x onerror=alert(1)>`.\n2.  **Verify Execution:** Use `browser_navigate` to the Appointments page and check for an alert dialog or the existence of the payload in the DOM.\n\n### 9. Alternative Approaches\n*   **Frontend Reflection:** If the XSS does not store correctly, check the interim \"Summary\" or \"Confirmation\" step of the booking form. These often reflect the name from the session\u002Fcookie before the final save.\n*   **Customer Profile:** If the \"Customer Cabinet\" feature is enabled (Bookly Pro\u002FAdd-ons), log in as the customer. The name is often rendered unescaped in the profile header.","The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to unauthenticated Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie. When the 'Remember personal information in cookies' setting is enabled, the plugin stores unsanitized customer names from cookies into the database, which later execute when viewed by an administrator.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbookly-responsive-appointment-booking-tool\u002F27.2\u002Fbackend\u002Fcomponents\u002Fcloud\u002Faccount\u002FAjax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbookly-responsive-appointment-booking-tool\u002F27.3\u002Fbackend\u002Fcomponents\u002Fcloud\u002Faccount\u002FAjax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbookly-responsive-appointment-booking-tool\u002F27.2\u002Fbackend\u002Fcomponents\u002Fcloud\u002Faccount\u002FAjax.php\t2026-03-20 09:05:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbookly-responsive-appointment-booking-tool\u002F27.3\u002Fbackend\u002Fcomponents\u002Fcloud\u002Faccount\u002FAjax.php\t2026-04-13 08:50:54.000000000 +0000\n@@ -50,7 +50,8 @@\n                 self::parameter( 'username' ),\n                 self::parameter( 'password' ),\n                 self::parameter( 'password_repeat' ),\n-                self::parameter( 'country' )\n+                self::parameter( 'country' ),\n+                self::parameter( 'source' )\n             );\n             if ( $response ) {\n                 update_option( 'bookly_cloud_token', $response['token'] );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbookly-responsive-appointment-booking-tool\u002F27.2\u002Fbackend\u002Fcomponents\u002Fdialogs\u002Fappointment\u002Fcustomer_details\u002Fresources\u002Fjs\u002Fcustomer-details.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbookly-responsive-appointment-booking-tool\u002F27.3\u002Fbackend\u002Fcomponents\u002Fdialogs\u002Fappointment\u002Fcustomer_details\u002Fresources\u002Fjs\u002Fcustomer-details.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbookly-responsive-appointment-booking-tool\u002F27.2\u002Fbackend\u002Fcomponents\u002Fdialogs\u002Fappointment\u002Fcustomer_details\u002Fresources\u002Fjs\u002Fcustomer-details.js\t2026-03-20 09:05:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbookly-responsive-appointment-booking-tool\u002F27.3\u002Fbackend\u002Fcomponents\u002Fdialogs\u002Fappointment\u002Fcustomer_details\u002Fresources\u002Fjs\u002Fcustomer-details.js\t2026-04-13 08:50:54.000000000 +0000\n@@ -1 +1 @@\n-var BooklyCustomerDetailsDialog=function(t,e,n,r,o){... (truncated at 18000 of 3507000 chars — patch_diff)","1. Ensure the 'Remember personal information in cookies' setting is enabled (bookly_gen_remember_customer_info option).\n2. As an unauthenticated user, set a browser cookie named 'bookly-customer-full-name' with a value containing an XSS payload (e.g., \u003Cimg src=x onerror=alert(1)>).\n3. Navigate to the frontend page containing the Bookly booking form [bookly-form] and proceed with a booking. The plugin will pre-fill the name field using the malicious cookie value.\n4. Complete and submit the booking. The payload is now stored in the WordPress database.\n5. The payload will execute when an administrator views the appointment details or customer list in the Bookly backend (e.g., at \u002Fwp-admin\u002Fadmin.php?page=bookly-appointments).","gemini-3-flash-preview","2026-06-26 00:19:27","2026-06-26 00:20:48",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","27.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbookly-responsive-appointment-booking-tool\u002Ftags\u002F27.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbookly-responsive-appointment-booking-tool.27.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbookly-responsive-appointment-booking-tool\u002Ftags\u002F27.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbookly-responsive-appointment-booking-tool.27.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbookly-responsive-appointment-booking-tool\u002Ftags"]