Skip to main content

Booking Calendar

19 CVEs product

Monthly

CVE-2026-32358 HIGH This Week

Booking Calendar versions 10.14.15 and earlier contain a blind SQL injection vulnerability in database query handling that allows high-privileged authenticated users to execute arbitrary SQL commands. An attacker with administrative credentials could exploit this to extract sensitive database information and potentially disrupt service availability. A patch is not currently available, requiring users to implement alternative mitigations or limit administrative access.

SQLi Booking Calendar
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2024-13821 MEDIUM PATCH This Month

The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass Booking Calendar
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-10856 MEDIUM PATCH This Month

The Booking Calendar WpDevArt plugin is vulnerable to time-based, blind SQL injection via the `id` parameter in the “wpdevart_booking_calendar” shortcode in versions up to, and including, 3.2.19 due. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi Booking Calendar
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-6930 MEDIUM PATCH This Month

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute within the plugin's bookingform shortcode in all versions up to, and including,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Booking Calendar
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-1207 CRITICAL PATCH Act Now

The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 78.7%.

SQLi WordPress Booking Calendar
NVD VulDB
CVSS 3.1
9.8
EPSS
78.7%
Threat
4.3
CVE-2023-51520 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPdevelop / Oplugins WP Booking Calendar allows Stored XSS.7.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Booking Calendar
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-4620 MEDIUM POC This Month

The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Booking Calendar
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-36384 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Booking Calendar
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-24388 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions affects plugin forms actions (create, duplicate, edit, delete). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Booking Calendar
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2022-3982 CRITICAL POC Act Now

The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Booking Calendar
NVD WPScan
CVSS 3.1
9.8
EPSS
4.5%
CVE-2022-33177 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WPdevelop/Oplugins Booking Calendar plugin <= 9.2.1 at WordPress leading to Translations Update. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Booking Calendar
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-1463 HIGH POC This Week

The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP WordPress Booking Calendar
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2018-10363 HIGH This Week

An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Booking Calendar
NVD GitHub
CVSS 3.0
7.5
EPSS
1.4%
CVE-2018-5673 HIGH POC This Week

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress PHP Booking Calendar
NVD GitHub
CVSS 3.0
8.8
EPSS
0.8%
CVE-2018-5672 MEDIUM POC This Month

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Booking Calendar
NVD GitHub
CVSS 3.0
4.8
EPSS
0.6%
CVE-2018-5671 MEDIUM POC This Month

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Booking Calendar
NVD GitHub
CVSS 3.0
4.8
EPSS
0.6%
CVE-2018-5670 MEDIUM POC This Month

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Booking Calendar
NVD GitHub
CVSS 3.0
4.8
EPSS
0.6%
CVE-2017-2151 MEDIUM This Month

Cross-site scripting vulnerability in Booking Calendar version 7.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Booking Calendar
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-2150 MEDIUM This Month

Directory traversal vulnerability in Booking Calendar version 7.0 and earlier allows remote attackers to read arbitrary files via specially crafted captcha_chalange parameter. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Booking Calendar
NVD
CVSS 3.0
5.3
EPSS
1.2%
EPSS 0% CVSS 7.6
HIGH This Week

Booking Calendar versions 10.14.15 and earlier contain a blind SQL injection vulnerability in database query handling that allows high-privileged authenticated users to execute arbitrary SQL commands. An attacker with administrative credentials could exploit this to extract sensitive database information and potentially disrupt service availability. A patch is not currently available, requiring users to implement alternative mitigations or limit administrative access.

SQLi Booking Calendar
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass Booking Calendar
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The Booking Calendar WpDevArt plugin is vulnerable to time-based, blind SQL injection via the `id` parameter in the “wpdevart_booking_calendar” shortcode in versions up to, and including, 3.2.19 due. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi Booking Calendar
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute within the plugin's bookingform shortcode in all versions up to, and including,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Booking Calendar
NVD
EPSS 79% 4.3 CVSS 9.8
CRITICAL PATCH Act Now

The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 78.7%.

SQLi WordPress Booking Calendar
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPdevelop / Oplugins WP Booking Calendar allows Stored XSS.7.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Booking Calendar
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Booking Calendar
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Booking Calendar
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions affects plugin forms actions (create, duplicate, edit, delete). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Booking Calendar
NVD
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WPdevelop/Oplugins Booking Calendar plugin <= 9.2.1 at WordPress leading to Translations Update. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Booking Calendar
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP WordPress +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Booking Calendar
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress PHP +1
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP +1
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP +1
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Booking Calendar version 7.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Booking Calendar
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Directory traversal vulnerability in Booking Calendar version 7.0 and earlier allows remote attackers to read arbitrary files via specially crafted captcha_chalange parameter. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Booking Calendar
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy