Skip to main content

Booking Calendar Appointment Booking System

2 CVEs product

Monthly

CVE-2026-57778 MEDIUM This Month

Missing authorization in the wpdevart Booking Calendar, Appointment Booking System WordPress plugin (versions through 3.2.36) permits unauthenticated remote attackers to bypass access controls and perform restricted booking-related actions, resulting in unauthorized data modification. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is trivially reachable over the network with no authentication, though impact is limited to integrity (I:L) with no confidentiality or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Booking Calendar Appointment Booking System
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-25435 HIGH This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in the wpdevart Booking Calendar and Appointment Booking System WordPress plugin through version 3.2.36, allowing attackers to inject and execute malicious JavaScript code that persists in the application database. An authenticated or unauthenticated attacker can exploit this vulnerability to steal session cookies, perform actions on behalf of legitimate users, or redirect visitors to malicious sites. No CVSS score, EPSS probability, or active exploitation in the wild (KEV status) are currently available, but the vulnerability affects a widely-used booking plugin and likely represents a significant risk given the prevalence of WordPress installations.

XSS Booking Calendar Appointment Booking System
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in the wpdevart Booking Calendar, Appointment Booking System WordPress plugin (versions through 3.2.36) permits unauthenticated remote attackers to bypass access controls and perform restricted booking-related actions, resulting in unauthorized data modification. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is trivially reachable over the network with no authentication, though impact is limited to integrity (I:L) with no confidentiality or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Booking Calendar Appointment Booking System
NVD
EPSS 0% CVSS 7.1
HIGH This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in the wpdevart Booking Calendar and Appointment Booking System WordPress plugin through version 3.2.36, allowing attackers to inject and execute malicious JavaScript code that persists in the application database. An authenticated or unauthenticated attacker can exploit this vulnerability to steal session cookies, perform actions on behalf of legitimate users, or redirect visitors to malicious sites. No CVSS score, EPSS probability, or active exploitation in the wild (KEV status) are currently available, but the vulnerability affects a widely-used booking plugin and likely represents a significant risk given the prevalence of WordPress installations.

XSS Booking Calendar Appointment Booking System
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy