Skip to main content

Booking Package

5 CVEs product

Monthly

CVE-2026-15335 HIGH This Week

Unauthenticated SQL injection in the Booking Package WordPress plugin (versions up to and including 1.7.20, by developer masaakitanaka) lets remote attackers append SQL to an existing query via the 'email' form parameter on the /wp-json/booking-package/v1/request REST endpoint, enabling extraction of sensitive database contents. The endpoint is registered with permission_callback __return_true and REST-sourced $_POST values bypass wp_magic_quotes, so single quotes reach the SQL sink without authentication. Exploitability is severely constrained because the parameter is filtered through WordPress's is_email() before use, and there is no public exploit identified at time of analysis.

WordPress SQLi Booking Package
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-40774 HIGH This Week

Unauthenticated broken access control in the SaaSProject Booking Package WordPress plugin versions 1.7.06 and earlier allows remote attackers to invoke privileged plugin functionality without authentication, resulting in unauthorized modification of booking data (CVSS 7.5, integrity-only impact). The flaw is a CWE-862 Missing Authorization issue disclosed via Patchstack and tracked in ENISA EUVD as EUVD-2026-36983, with no public exploit identified at time of analysis.

Authentication Bypass Booking Package
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2023-39918 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Booking Package
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2022-0709 HIGH POC This Week

The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Booking Package
NVD WPScan
CVSS 3.1
7.5
EPSS
1.6%
CVE-2021-20840 MEDIUM This Month

Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Booking Package
NVD
CVSS 3.1
6.1
EPSS
1.2%
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in the Booking Package WordPress plugin (versions up to and including 1.7.20, by developer masaakitanaka) lets remote attackers append SQL to an existing query via the 'email' form parameter on the /wp-json/booking-package/v1/request REST endpoint, enabling extraction of sensitive database contents. The endpoint is registered with permission_callback __return_true and REST-sourced $_POST values bypass wp_magic_quotes, so single quotes reach the SQL sink without authentication. Exploitability is severely constrained because the parameter is filtered through WordPress's is_email() before use, and there is no public exploit identified at time of analysis.

WordPress SQLi Booking Package
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated broken access control in the SaaSProject Booking Package WordPress plugin versions 1.7.06 and earlier allows remote attackers to invoke privileged plugin functionality without authentication, resulting in unauthorized modification of booking data (CVSS 7.5, integrity-only impact). The flaw is a CWE-862 Missing Authorization issue disclosed via Patchstack and tracked in ENISA EUVD as EUVD-2026-36983, with no public exploit identified at time of analysis.

Authentication Bypass Booking Package
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Booking Package
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Booking Package
NVD WPScan
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Booking Package
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy