Codepeople Appointment Booking Calendar vulnerabilities
13 known vulnerabilities affecting codepeople/appointment_booking_calendar.
Total CVEs
13
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH6MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2020-9372P3HIGHCVSS 7.8PoCfixed in 1.3.352020-03-04
CVE-2020-9372 [HIGH] CWE-1236 CVE-2020-9372: The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields suc
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
nvd
CVE-2016-10916P3CRITICALCVSS 9.8fixed in 1.1.242019-08-22
CVE-2016-10916 [CRITICAL] CVE-2016-10916: The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different v
The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319.
nvd
CVE-2025-46247P3CRITICALCVSS 9.8fixed in 1.3.93≤ 1.3.922025-04-22
CVE-2025-46247 [CRITICAL] CWE-862 CVE-2025-46247: Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-c
Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.92.
nvd
CVE-2022-43482P3HIGHCVSS 8.8fixed in 1.3.70≤ 1.3.692022-11-18
CVE-2022-43482 [HIGH] CWE-862 CVE-2022-43482: Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress.
Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress.
nvd
CVE-2020-9371P4MEDIUMCVSS 4.8PoCfixed in 1.3.352020-03-04
CVE-2020-9371 [MEDIUM] CWE-79 CVE-2020-9371: Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpa
Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.
nvd
CVE-2024-12274P3HIGHCVSS 7.5fixed in 1.1.232025-01-13
CVE-2024-12274 [HIGH] CWE-340 CVE-2024-12274: The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist).
nvd
CVE-2015-7319P3HIGHCVSS 7.5≤ 1.1.72015-09-29
CVE-2015-7319 [HIGH] CWE-89 CVE-2015-7319: SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment
SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to updating the username.
nvd
CVE-2025-46241P3HIGHCVSS 8.8fixed in 1.3.93≤ 1.3.922025-04-22
CVE-2025-46241 [HIGH] CWE-352 CVE-2025-46241: Cross-Site Request Forgery (CSRF) vulnerability in codepeople Appointment Booking Calendar appointme
Cross-Site Request Forgery (CSRF) vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows SQL Injection.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.92.
nvd
CVE-2024-0856P3HIGHCVSS 8.8fixed in 1.3.832024-03-20
CVE-2024-0856 [HIGH] CWE-352 CVE-2024-0856: The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some pl
The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.
nvd
CVE-2025-13317P4MEDIUMCVSS 5.3≤ 1.3.962025-11-22
CVE-2025-13317 [MEDIUM] CWE-862 CVE-2025-13317: The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all
The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, aut
nvd
CVE-2025-64261P4MEDIUMCVSS 5.4≤ 1.3.952025-11-13
CVE-2025-64261 [MEDIUM] CWE-862 CVE-2025-64261: Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-c
Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.95.
nvd
CVE-2019-14791P4MEDIUMCVSS 6.1v1.3.182019-08-09
CVE-2019-14791 [MEDIUM] CWE-79 CVE-2019-14791: The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.
The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter.
nvd
CVE-2015-7320P4MEDIUMCVSS 4.3≤ 1.1.72015-09-29
CVE-2015-7320 [MEDIUM] CWE-79 CVE-2015-7320: Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.in
Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd