Exploit for CVE-2026-5513

## https://sploitus.com/exploit?id=FDD828AA-3AA6-5444-85DD-E828FD297BF8
# CVE-2026-5513 — Bookly ≤ 27.2 Stored XSS via Cookie


  
  
  
  


## Overview

| Field | Value |
|---|---|
| **CVE ID** | CVE-2026-5513 |
| **Vulnerability** | Stored Cross-Site Scripting (XSS) |
| **Plugin** | [Bookly](https://wordpress.org/plugins/bookly-responsive-appointment-booking-tool/) — Online Scheduling and Appointment Booking System |
| **Affected** | ≤ 27.2 |
| **Patched** | 27.3+ |
| **CVSS 3.1** | **7.2 (High)** — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N` |
| **CWE** | CWE-79 |
| **Auth Required** | None |
| **Prerequisite** | `Remember personal information in cookies` must be **enabled** (disabled by default) |

## Description

The **Bookly** plugin for WordPress is vulnerable to **Stored Cross-Site Scripting** via the `bookly-customer-full-name` cookie in versions up to and including **27.2** due to insufficient input sanitization and output escaping.

When the "Remember personal information in cookies" setting is enabled, the plugin reads the `bookly-customer-full-name` cookie value and renders it directly into the booking form HTML **without proper escaping**. An unauthenticated attacker can inject arbitrary JavaScript payloads via this cookie that execute whenever any user (including administrators) visits a page containing the Bookly booking form.

### Attack Flow

```
Attacker → Set malicious cookie (bookly-customer-full-name=...)
         → Visit page with Bookly booking form
         → Plugin reads cookie, renders value without escaping
         → XSS payload executes in victim's browser context
```

### Root Cause

```php
// VULNERABLE — Bookly ≤ 27.2
$full_name = $_COOKIE['bookly-customer-full-name'];  // No sanitization
echo '';  // No escaping
```

```php
// PATCHED — Bookly 27.3+
$full_name = sanitize_text_field($_COOKIE['bookly-customer-full-name']);
echo '';
```

## Features

```
 ✓ Auto IP/Domain probing (HTTP/HTTPS, common ports, redirect detection)
 ✓ WordPress & Bookly plugin detection with version check
 ✓ Cookie setting detection (BooklyL10n JS analysis + canary reflection)
 ✓ Multi-context XSS testing (HTML, JavaScript, attribute injection)
 ✓ Payload injection with reflection verification
 ✓ Single target or mass scan from file
 ✓ Multi-threaded scanning (up to 20 threads)
 ✓ Proxy support (Burp, etc.)
 ✓ Auto-save vulnerable results
 ✓ Interactive menu + CLI modes
```

## Installation

```bash
pip install requests colorama
```

## Usage

### CLI Mode

```bash
# Check single target
python CVE-2026-5513.py -u https://target.com -v

# Check single IP (auto-probe ports + redirects)
python CVE-2026-5513.py -u 167.99.0.203 -v

# Check + inject XSS payload
python CVE-2026-5513.py -u https://target.com --inject -v

# Custom XSS payload
python CVE-2026-5513.py -u https://target.com --inject --payload ""

# Mass scan from file
python CVE-2026-5513.py -l targets.txt -t 20 -o vuln.txt

# With Burp proxy
python CVE-2026-5513.py -u https://target.com -v --proxy http://127.0.0.1:8080
```

### Interactive Mode

```bash
python CVE-2026-5513.py
```

### Options

| Flag | Description |
|---|---|
| `-u URL` | Single target (URL, domain, or IP) |
| `-l FILE` | File with list of targets (one per line) |
| `--inject` | Inject XSS payload (default: check only) |
| `--payload STR` | Custom XSS payload |
| `-t N` | Number of threads (default: 10, max: 20) |
| `--proxy URL` | HTTP proxy (e.g. `http://127.0.0.1:8080`) |
| `-o FILE` | Save results to file |
| `-v` | Verbose output |

### Target Formats

The tool accepts any of these formats in `-u` or in the target list file:

```
https://example.com
http://example.com
example.com
192.168.1.100
192.168.1.100:8080
```

For bare IPs, the tool automatically:
- Probes ports 443, 80, 8443, 8080
- Detects HTTP → HTTPS redirects
- Detects IP → domain redirects (e.g. `167.99.0.203` → `https://book.repairrite.com`)
- Scans WordPress subdirectories (`/wp/`, `/blog/`, `/wordpress/`, etc.)

## Exploit Chain

```
STEP 0 → Probe target (IP/domain → resolve base URL, detect redirects)
STEP 1 → Detect Bookly plugin (readme.txt, plugin dir, assets, version check)
STEP 2 → Check cookie setting (BooklyL10n JS analysis + canary reflection test)
STEP 3 → Test XSS reflection (HTML context, JS context, attribute context)
STEP 4 → Inject payload (if --inject mode, verify reflection)
```

## Google Dorks

```
# FOFA
body="bookly-responsive-appointment-booking-tool"
body="bookly-customer-full-name"
body="bookly-form-group" && body="wp-content/plugins/bookly"

# Google
inurl:"/wp-content/plugins/bookly-responsive-appointment-booking-tool/readme.txt"
intitle:"Book Appointment" inurl:"booking" intext:"bookly"
```

## Remediation

| Priority | Action |
|:---:|---|
| 🔴 | **Update Bookly to version 27.3+** |
| 🟡 | Disable "Remember personal information in cookies" in Bookly Settings → General |
| 🟢 | Deploy WAF rules to filter XSS in cookie values |
| 🟢 | Implement Content-Security-Policy (CSP) headers |

## References

- [NVD — CVE-2026-5513](https://nvd.nist.gov/vuln/detail/CVE-2026-5513)
- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/id/CVE-2026-5513)
- [Tenable](https://www.tenable.com/cve/CVE-2026-5513)
- [Bookly Changelog](https://www.booking-wp-plugin.com/changelog/)

## Disclaimer

> **This tool is provided for authorized security testing and educational purposes only.**
> Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing.
> The author is not responsible for any misuse of this tool.

## License

MIT