Booking Package
by WordPress
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-37389 | Hig | 0.57 | 8.8 | 0.01 | May 17, 2024 | Improper Privilege Management vulnerability in SAASPROJECT Booking Package Booking Package allows Privilege Escalation.This issue affects Booking Package: from n/a through 1.5.98. | ||
| CVE-2026-40774 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Booking Package <= 1.7.06 versions. | ||
| CVE-2024-30516 | Hig | 0.49 | 7.5 | 0.00 | Jan 5, 2026 | Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27. | ||
| CVE-2026-9851 | Hig | 0.47 | 7.2 | 0.00 | Jun 6, 2026 | The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only… | ||
| CVE-2024-13508 | Med | 0.40 | 6.1 | 0.00 | Feb 19, 2025 | The Booking Package plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the locale parameter in all versions up to, and including, 1.6.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to… | ||
| CVE-2026-4911 | Med | 0.34 | 5.3 | 0.00 | Apr 28, 2026 | The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the… | ||
| CVE-2023-39918 | 0.00 | — | 0.00 | Sep 4, 2023 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SAASPROJECT Booking Package Booking Package plugin <= 1.6.01 versions. | |||
| CVE-2022-0709 | 0.00 | — | 0.02 | Apr 4, 2022 | The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability. | |||
| CVE-2021-20840 | 0.00 | — | 0.01 | Nov 24, 2021 | Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors. |
- risk 0.57cvss 8.8epss 0.01
Improper Privilege Management vulnerability in SAASPROJECT Booking Package Booking Package allows Privilege Escalation.This issue affects Booking Package: from n/a through 1.5.98.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Booking Package <= 1.7.06 versions.
- risk 0.49cvss 7.5epss 0.00
Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27.
- risk 0.47cvss 7.2epss 0.00
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only…
- risk 0.40cvss 6.1epss 0.00
The Booking Package plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the locale parameter in all versions up to, and including, 1.6.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…
- risk 0.34cvss 5.3epss 0.00
The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the…
- CVE-2023-39918Sep 4, 2023risk 0.00cvss —epss 0.00
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SAASPROJECT Booking Package Booking Package plugin <= 1.6.01 versions.
- CVE-2022-0709Apr 4, 2022risk 0.00cvss —epss 0.02
The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability.
- CVE-2021-20840Nov 24, 2021risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors.