Skip to main content

Booked

6 CVEs product

Monthly

CVE-2026-57747 MEDIUM This Month

Unauthenticated CSRF in Booked WordPress plugin (versions <= 3.0.0) enables remote attackers to trigger availability-impacting actions against authenticated WordPress users without their consent. The CVSS vector (C:N/I:N/A:H) indicates this CSRF leads to a destructive availability outcome - likely deletion or corruption of booking/scheduling data - rather than data theft or code execution. No public exploit or active exploitation has been identified at time of analysis, though the low attack complexity and no required privileges for staging the attack make social-engineering delivery straightforward.

CSRF Booked
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57746 HIGH This Week

Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the issue was reported through Patchstack.

Authentication Bypass Booked
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2022-36399 MEDIUM This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BoxyStudio Booked - Appointment Booking for WordPress | Calendars.4.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress Booked
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-24058 MEDIUM POC This Month

Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Booked
NVD GitHub
CVSS 3.1
4.3
EPSS
0.9%
CVE-2022-30706 MEDIUM This Month

Open redirect vulnerability in Booked versions prior to 3.3 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Booked
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2019-9581 HIGH POC PATCH THREAT This Week

phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP File Upload Booked
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
13.5%
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated CSRF in Booked WordPress plugin (versions <= 3.0.0) enables remote attackers to trigger availability-impacting actions against authenticated WordPress users without their consent. The CVSS vector (C:N/I:N/A:H) indicates this CSRF leads to a destructive availability outcome - likely deletion or corruption of booking/scheduling data - rather than data theft or code execution. No public exploit or active exploitation has been identified at time of analysis, though the low attack complexity and no required privileges for staging the attack make social-engineering delivery straightforward.

CSRF Booked
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the issue was reported through Patchstack.

Authentication Bypass Booked
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BoxyStudio Booked - Appointment Booking for WordPress | Calendars.4.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress Booked
NVD
EPSS 1% CVSS 4.3
MEDIUM POC This Month

Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Booked
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

Open redirect vulnerability in Booked versions prior to 3.3 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Booked
NVD
EPSS 13% CVSS 8.8
HIGH POC PATCH THREAT This Week

phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP File Upload Booked
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy