Wp Time Slots Booking Form
Monthly
SQL injection in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows authenticated Subscriber-level users to inject arbitrary SQL into backend database queries. The CVSS 3.1 vector indicates a scope change with high confidentiality impact, meaning an attacker who only holds the lowest WordPress role can read data beyond the plugin's own scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Reflected/stored cross-site scripting in the WP Time Slots Booking Form WordPress plugin (versions up to and including 1.2.46) lets remote unauthenticated attackers inject script that executes in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36994, carries a CVSS 7.1 due to the scope change against the WordPress origin, and no public exploit identified at time of analysis.
WP Time Slots Booking Form through version 1.2.42 contains a missing authorization vulnerability that allows unauthenticated attackers to modify booking data through improperly configured access controls. An attacker can exploit this to alter time slot reservations and other critical booking information without authentication. No patch is currently available for this vulnerability.
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.2.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.2.06. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CodePeople WP Time Slots Booking Form allows Stored XSS.2.10. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.1.76. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows authenticated Subscriber-level users to inject arbitrary SQL into backend database queries. The CVSS 3.1 vector indicates a scope change with high confidentiality impact, meaning an attacker who only holds the lowest WordPress role can read data beyond the plugin's own scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Reflected/stored cross-site scripting in the WP Time Slots Booking Form WordPress plugin (versions up to and including 1.2.46) lets remote unauthenticated attackers inject script that executes in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36994, carries a CVSS 7.1 due to the scope change against the WordPress origin, and no public exploit identified at time of analysis.
WP Time Slots Booking Form through version 1.2.42 contains a missing authorization vulnerability that allows unauthenticated attackers to modify booking data through improperly configured access controls. An attacker can exploit this to alter time slot reservations and other critical booking information without authentication. No patch is currently available for this vulnerability.
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.2.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.2.06. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CodePeople WP Time Slots Booking Form allows Stored XSS.2.10. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.1.76. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.