Pinpoint Booking System
Monthly
Unauthenticated remote attackers can bypass access control in DOTonPAPER Pinpoint Booking System versions up to 2.9.9.6.5 to view sensitive booking data due to missing authorization checks on API endpoints. The vulnerability allows information disclosure with low confidentiality impact, and while CVSS rates it 5.3 (medium), the 0.02% EPSS score indicates minimal real-world exploitation probability despite the straightforward network-based attack vector.
The Pinpoint Booking System - #1 WordPress Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘schedule’ parameter in all versions up to, and including, 2.9.9.5.0 due to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
The Pinpoint Booking System WordPress plugin before 2.9.9.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in PINPOINT.WORLD Pinpoint Booking System plugin <= 2.9.9.4.0 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Pinpoint Booking System WordPress plugin before 2.9.9.2.9 does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated remote attackers can bypass access control in DOTonPAPER Pinpoint Booking System versions up to 2.9.9.6.5 to view sensitive booking data due to missing authorization checks on API endpoints. The vulnerability allows information disclosure with low confidentiality impact, and while CVSS rates it 5.3 (medium), the 0.02% EPSS score indicates minimal real-world exploitation probability despite the straightforward network-based attack vector.
The Pinpoint Booking System - #1 WordPress Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘schedule’ parameter in all versions up to, and including, 2.9.9.5.0 due to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
The Pinpoint Booking System WordPress plugin before 2.9.9.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in PINPOINT.WORLD Pinpoint Booking System plugin <= 2.9.9.4.0 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Pinpoint Booking System WordPress plugin before 2.9.9.2.9 does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.