Online Scheduling and Appointment Booking System – Bookly <= 27.0 - Unauthenticated Price Manipulation via 'tips'

Description

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero.

Affected Products

Vendor	Product	Versions
ladela	online scheduling and appointment booking system – bookly	0

References

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-2519 | ladela Bookly Plugin up to 27.0 on WordPress Negative Number tips external control of assumed-immutable web parameter

→ No new info (linked only)

CVSS 3.15.3 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-472

PublishedApr 9, 2026

Last enriched5h agov2

Trending Score49

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Online Scheduling and Appointment Booking System – Bookly <= 27.0 - Unauthenticated Price Manipulation via 'tips'

Description

Affected Products

References

Related News (1 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline

Version History