CVE-2026-2519: CWE-472 External Control of Assumed-Immutable Web Parameter in ladela Online Scheduling and Appointment Booking System – Bookly
The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero.
AI Analysis
Technical Summary
CVE-2026-2519 describes a vulnerability in the ladela Online Scheduling and Appointment Booking System – Bookly WordPress plugin. The flaw arises from the plugin's failure to validate the 'tips' parameter on the server side, allowing unauthenticated attackers to submit negative values. This external control of an assumed-immutable parameter enables attackers to manipulate the total price calculation, effectively reducing it to zero. The vulnerability affects all versions up to 27.0. There is no vendor-provided patch or official remediation information available at this time. The CVSS score of 5.3 reflects a medium severity impact with no confidentiality or availability impact but with integrity impact due to price manipulation.
Potential Impact
The vulnerability allows unauthenticated attackers to manipulate the total price by submitting negative values in the 'tips' parameter, potentially bypassing payment requirements or causing financial loss to merchants using the plugin. There is no impact on confidentiality or availability reported. The integrity of the pricing calculation is compromised, which can lead to unauthorized price reductions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider implementing server-side validation for the 'tips' parameter to reject negative values or disable the tips feature if possible. Monitoring for suspicious transactions related to price anomalies may also help mitigate risk.
CVE-2026-2519: CWE-472 External Control of Assumed-Immutable Web Parameter in ladela Online Scheduling and Appointment Booking System – Bookly
Description
The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2519 describes a vulnerability in the ladela Online Scheduling and Appointment Booking System – Bookly WordPress plugin. The flaw arises from the plugin's failure to validate the 'tips' parameter on the server side, allowing unauthenticated attackers to submit negative values. This external control of an assumed-immutable parameter enables attackers to manipulate the total price calculation, effectively reducing it to zero. The vulnerability affects all versions up to 27.0. There is no vendor-provided patch or official remediation information available at this time. The CVSS score of 5.3 reflects a medium severity impact with no confidentiality or availability impact but with integrity impact due to price manipulation.
Potential Impact
The vulnerability allows unauthenticated attackers to manipulate the total price by submitting negative values in the 'tips' parameter, potentially bypassing payment requirements or causing financial loss to merchants using the plugin. There is no impact on confidentiality or availability reported. The integrity of the pricing calculation is compromised, which can lead to unauthorized price reductions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider implementing server-side validation for the 'tips' parameter to reject negative values or disable the tips feature if possible. Monitoring for suspicious transactions related to price anomalies may also help mitigate risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-15T06:39:59.038Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d8437c1cc7ad14da3fb791
Added to database: 4/10/2026, 12:25:32 AM
Last enriched: 4/17/2026, 12:03:12 PM
Last updated: 5/25/2026, 3:31:30 AM
Views: 101
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.