Wpdevelop Booking Calendar vulnerabilities
19 known vulnerabilities affecting wpdevelop/booking_calendar.
Total CVEs
19
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM15
Vulnerabilities
Page 1 of 1
CVE-2024-1207P2CRITICALCVSS 9.8≤ 9.92024-02-08
CVE-2024-1207 [CRITICAL] CWE-89 CVE-2024-1207: The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_reques
The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attacke
nvd
CVE-2025-14383P3HIGHCVSS 7.5≤ 10.14.82025-12-15
CVE-2025-14383 [HIGH] CWE-89 CVE-2025-14383: The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'd
The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to appen
nvd
CVE-2022-1463P3HIGHCVSS 8.8≥ 9.1, ≤ 9.12022-05-10
CVE-2022-1463 [HIGH] CWE-502 CVE-2022-1463: The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflex
The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PHP objects on a vulnerable site.
nvd
CVE-2026-32358P3HIGHCVSS 7.6≤ 10.14.152026-03-13
CVE-2026-32358 [HIGH] CWE-89 CVE-2026-32358: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection.This issue affects Booking Calendar: from n/a through <= 10.14.15.
nvd
CVE-2017-2150P4MEDIUMCVSS 5.3vversion 7.0 and earlier2017-04-28
CVE-2017-2150 [MEDIUM] CWE-22 CVE-2017-2150: Directory traversal vulnerability in Booking Calendar version 7.0 and earlier allows remote attacker
Directory traversal vulnerability in Booking Calendar version 7.0 and earlier allows remote attackers to read arbitrary files via specially crafted captcha_chalange parameter.
nvd
CVE-2025-9346P4MEDIUMCVSS 6.4≤ 10.14.12025-08-28
CVE-2025-9346 [MEDIUM] CWE-79 CVE-2025-9346: The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings
The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 10.14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will exe
nvd
CVE-2025-12804P4MEDIUMCVSS 6.4≤ 10.14.62025-12-05
CVE-2025-12804 [MEDIUM] CWE-79 CVE-2025-12804: The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi
The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and ab
nvd
CVE-2024-13821P4MEDIUMCVSS 5.3≤ 10.102025-02-12
CVE-2024-13821 [MEDIUM] CWE-285 CVE-2024-13821: The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Book
The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manip
nvd
CVE-2025-14146P4MEDIUMCVSS 5.3≤ 10.14.102026-01-09
CVE-2025-14146 [MEDIUM] CWE-862 CVE-2025-14146: The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all ver
The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_p
nvd
CVE-2026-1431P4MEDIUMCVSS 5.3≤ 10.14.132026-01-31
CVE-2026-1431 [MEDIUM] CWE-862 CVE-2026-1431: The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a miss
The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails.
nvd
CVE-2025-64381P4MEDIUMCVSS 6.5≤ 10.14.72025-11-13
CVE-2025-64381 [MEDIUM] CWE-79 CVE-2025-64381: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Calendar booking allows Stored XSS.This issue affects Booking Calendar: from n/a through <= 10.14.7.
nvd
CVE-2024-13323P4MEDIUMCVSS 5.4≤ 10.9.22025-01-14
CVE-2024-13323 [MEDIUM] CWE-79 CVE-2024-13323: The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'booking' shortcode in all versions up to, and including, 10.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above,
nvd
CVE-2025-4669P4MEDIUMCVSS 5.4≤ 10.11.12025-05-17
CVE-2025-4669 [MEDIUM] CWE-79 CVE-2025-4669: The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpbc shortcode in all versions up to, and including, 10.11.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to in
nvd
CVE-2024-6930P4MEDIUMCVSS 5.4≤ 10.2.12024-07-24
CVE-2024-6930 [MEDIUM] CWE-79 CVE-2024-6930: The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 't
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute within the plugin's bookingform shortcode in all versions up to, and including, 10.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contrib
nvd
CVE-2025-14982P4MEDIUMCVSS 4.3≤ 10.14.112026-01-16
CVE-2025-14982 [MEDIUM] CWE-862 CVE-2025-14982: The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitiv
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable informati
nvd
CVE-2026-2230P4MEDIUMCVSS 4.3≤ 10.14.142026-02-18
CVE-2026-2230 [MEDIUM] CWE-639 CVE-2026-2230: The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all v
The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by a
nvd
CVE-2024-8274P4MEDIUMCVSS 6.1≤ 10.52024-08-30
CVE-2024-8274 [MEDIUM] CWE-79 CVE-2024-8274: The WP Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via sev
The WP Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters from 'timeline_obj' in all versions up to, and including, 10.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they
nvd
CVE-2017-2151P4MEDIUMCVSS 6.1vversion 7.1 and earlier2017-04-28
CVE-2017-2151 [MEDIUM] CWE-79 CVE-2017-2151: Cross-site scripting vulnerability in Booking Calendar version 7.1 and earlier allows remote attacke
Cross-site scripting vulnerability in Booking Calendar version 7.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2024-9306P4MEDIUMCVSS 4.8≤ 10.62024-10-04
CVE-2024-9306 [MEDIUM] CWE-79 CVE-2024-9306: The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 10.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages th
nvd