VYPR

Bookingcalendar

by WordPress

Source repositories

CVEs (12)

  • CVE-2018-20556HigMar 21, 2019
    risk 0.62cvss 8.8epss 0.19

    SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.

  • CVE-2018-5673HigJan 13, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.

  • CVE-2025-14383HigDec 15, 2025
    risk 0.42cvss 7.5epss 0.00

    The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the…

  • CVE-2024-9504HigNov 26, 2024
    risk 0.40cvss 7.2epss 0.00

    The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2023-4620MedOct 16, 2023
    risk 0.40cvss 6.1epss 0.00

    The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators

  • CVE-2025-12804MedDec 5, 2025
    risk 0.35cvss 6.4epss 0.00

    The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2026-1431MedJan 31, 2026
    risk 0.34cvss 5.3epss 0.00

    The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to…

  • CVE-2024-12077MedJan 7, 2025
    risk 0.33cvss 6.1epss 0.00

    The Booking Calendar and Booking Calendar Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘calendar_id’ parameter in all versions up to, and including, 3.2.19 and 11.2.19 respectively, due to insufficient input sanitization and output…

  • CVE-2018-5672MedJan 13, 2018
    risk 0.31cvss 4.8epss 0.01

    An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label] parameter.

  • CVE-2018-5671MedJan 13, 2018
    risk 0.31cvss 4.8epss 0.01

    An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent] parameter.

  • CVE-2018-5670MedJan 13, 2018
    risk 0.31cvss 4.8epss 0.01

    An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.

  • CVE-2026-2230MedFeb 18, 2026
    risk 0.21cvss 4.3epss 0.00

    The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers,…