VYPR

Bookit

by WordPress

Source repositories

CVEs (5)

  • CVE-2023-2834CriJun 30, 2023
    risk 0.57cvss 9.8epss 0.02

    The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated…

  • CVE-2026-40780HigJun 2, 2026
    risk 0.49cvss 7.5epss 0.00

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation. This issue affects BookIt: from n/a before 2.5.4.1.

  • CVE-2025-12633HigNov 12, 2025
    risk 0.42cvss 7.5epss 0.00

    The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This…

  • CVE-2024-24715MedMay 17, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Validation of Specified Quantity in Input vulnerability in The Events Calendar BookIt allows Manipulating Hidden Fields.This issue affects BookIt: from n/a through 2.4.0.

  • CVE-2025-12841MedDec 12, 2025
    risk 0.35cvss 5.3epss 0.01

    The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.