VYPR

Booking Package

by WordPress

Source repositories

CVEs (9)

  • CVE-2023-37389HigMay 17, 2024
    risk 0.57cvss 8.8epss 0.01

    Improper Privilege Management vulnerability in SAASPROJECT Booking Package Booking Package allows Privilege Escalation.This issue affects Booking Package: from n/a through 1.5.98.

  • CVE-2026-40774HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Broken Access Control in Booking Package <= 1.7.06 versions.

  • CVE-2024-30516HigJan 5, 2026
    risk 0.49cvss 7.5epss 0.00

    Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27.

  • CVE-2026-9851HigJun 6, 2026
    risk 0.47cvss 7.2epss 0.00

    The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only…

  • CVE-2024-13508MedFeb 19, 2025
    risk 0.40cvss 6.1epss 0.00

    The Booking Package plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the locale parameter in all versions up to, and including, 1.6.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…

  • CVE-2026-4911MedApr 28, 2026
    risk 0.34cvss 5.3epss 0.00

    The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the…

  • CVE-2023-39918Sep 4, 2023
    risk 0.00cvss epss 0.00

    Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SAASPROJECT Booking Package Booking Package plugin <= 1.6.01 versions.

  • CVE-2022-0709Apr 4, 2022
    risk 0.00cvss epss 0.02

    The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability.

  • CVE-2021-20840Nov 24, 2021
    risk 0.00cvss epss 0.01

    Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors.