Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-2230 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user.
PLUGIN
Booking Calendar
CVE-2026-2230
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1431 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails.
PLUGIN
Booking Calendar
CVE-2026-1431
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1083 - Booking Calendar Plugin
The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max length/characters' field configuration values. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the form builder interface. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Booking Calendar
CVE-2026-1083
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-14982 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users.
PLUGIN
Booking Calendar
CVE-2025-14982
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14146 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details.
PLUGIN
Booking Calendar
CVE-2025-14146
Risk Score
Threat Entry
Updated 2025-12-15
CVE-2025-14383 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Booking Calendar
CVE-2025-14383
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12804 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Booking Calendar
CVE-2025-12804
Risk Score
Threat Entry
Updated 2025-11-12
CVE-2025-12788 - Booking Calendar Plugin
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring.
PLUGIN
Booking Calendar
CVE-2025-12788
Risk Score
Threat Entry
Updated 2025-11-12
CVE-2025-12787 - Booking Calendar Plugin
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's "tfhb_meeting_form_submit_callback" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint.
PLUGIN
Booking Calendar
CVE-2025-12787
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-9346 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 10.14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Booking Calendar
CVE-2025-9346
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13821 - Booking Calendar Plugin
The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved.
PLUGIN
Booking Calendar
CVE-2024-13821
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12077 - Booking Calendar Plugin
The Booking Calendar and Booking Calendar Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘calendar_id’ parameter in all versions up to, and including, 3.2.19 and 11.2.19 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Booking Calendar
CVE-2024-12077
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8797 - Booking Calendar Plugin
The WP Booking System – Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.19.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Booking Calendar
CVE-2024-8797
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6930 - Booking Calendar Plugin
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute within the plugin's bookingform shortcode in all versions up to, and including, 10.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Booking Calendar
CVE-2024-6930
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1207 - Booking Calendar Plugin
The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Booking Calendar
CVE-2024-1207
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2023-4620 - Booking Calendar Plugin
The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators
PLUGIN
Booking Calendar
CVE-2023-4620
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-33177 - Booking Calendar Plugin
Cross-Site Request Forgery (CSRF) vulnerability in WPdevelop/Oplugins Booking Calendar plugin
PLUGIN
Booking Calendar
CVE-2022-33177
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1463 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PHP objects on a vulnerable site.
PLUGIN
Booking Calendar
CVE-2022-1463
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25040 - Booking Calendar Plugin
The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Booking Calendar
CVE-2021-25040
Risk Score