CVE-2026-2519

Name of the Vulnerable Software and Affected Versions Bookly versions up to and including 27.0

Description The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is susceptible to price manipulation through the tips parameter. The plugin does not properly validate user-supplied input against the configured price, allowing unauthenticated attackers to submit a negative number to the tips parameter. This can reduce the total price to zero.

Recommendations Update Bookly to a version newer than 27.0.