CVE-2021-25040 – Booking Calendar < 8.9.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25040
The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting El plugin Booking Calendar de WordPress versiones anteriores a 8.9.2, no sanea y escapa del parámetro booking_type antes de devolverlo a una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/3ed821a6-c3e2-4964-86f8-d14c4a54708a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20556 – Booking Calendar <= 8.4.3 - SQL injection
https://notcve.org/view.php?id=CVE-2018-20556
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter. Vulnerabilidad de inyección SQL en el plugin Booking Calendar 8.4.3 para WordPress permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro booking_id. WordPress Booking Calendar version 8.4.3 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/46377 http://packetstormsecurity.com/files/151692/WordPress-Booking-Calendar-8.4.3-SQL-Injection.html https://gist.github.com/B0UG/a750c2c204825453e6faf898ea6d09f6 https://vulners.com/exploitdb/EDB-ID:46377 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •