VYPR

Appointment Booking Calendar

by WordPress

Source repositories

CVEs (17)

  • CVE-2016-10916CriAug 22, 2019
    risk 0.64cvss 9.8epss 0.02

    The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319.

  • CVE-2020-9372HigMar 4, 2020
    risk 0.54cvss 7.8epss 0.09

    The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The…

  • CVE-2023-50852HigDec 28, 2023
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Booking Calendar | Appointment Booking | BookIt.This issue affects Booking Calendar | Appointment Booking | BookIt: from n/a through 2.4.3.

  • CVE-2016-20084HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject…

  • CVE-2019-14791MedAug 9, 2019
    risk 0.40cvss 6.1epss 0.01

    The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter.

  • CVE-2025-64261MedNov 13, 2025
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.95.

  • CVE-2026-1932MedFeb 14, 2026
    risk 0.34cvss 5.3epss 0.00

    The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for…

  • CVE-2025-13317MedNov 22, 2025
    risk 0.34cvss 5.3epss 0.00

    The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts…

  • CVE-2020-9371MedMar 4, 2020
    risk 0.34cvss 4.8epss 0.04

    Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.

  • CVE-2026-1083MedJan 28, 2026
    risk 0.29cvss 4.4epss 0.00

    The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min…

  • CVE-2022-43482MedNov 18, 2022
    risk 0.28cvss 4.3epss 0.00

    Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress.

  • CVE-2024-7129Sep 13, 2024
    risk 0.01cvss epss 0.01

    The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins

  • CVE-2026-1856Jun 19, 2026
    risk 0.00cvss epss 0.00

    The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2026-12111Jun 18, 2026
    risk 0.00cvss epss 0.00

    The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2()…

  • CVE-2024-0856Mar 20, 2024
    risk 0.00cvss epss 0.00

    The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.

  • CVE-2015-7320Sep 29, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2015-7319Sep 29, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to updating the username.