CVSS: 10.0EPSS: 71%CPEs: 1EXPL: 1CVE-2024-1207 – Booking Calendar <= 9.9 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-1207
07 Feb 2024 — The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. El complemento WP Booking... • https://github.com/sahar042/CVE-2024-1207 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51520 – WordPress Booking Calendar Plugin < 9.7.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51520
25 Sep 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPdevelop / Oplugins WP Booking Calendar allows Stored XSS.This issue affects WP Booking Calendar: from n/a before 9.7.4. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en WPdevelop/Oplugins WP Booking Calendar permite XSS almacenado. Este problema afecta a WP Booking Calendar: desde n/a antes de 9.7.4. The Booking Calendar plugin f... • https://patchstack.com/database/vulnerability/booking/wordpress-booking-calendar-plugin-9-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4620 – Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2023-4620
11 Sep 2023 — The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators El complemento de WordPress Booking Calendar anterior a la versión 9.7.3.1 no sanitiza ni escapa algunas de sus reservas de los datos, lo que permite a usuarios no autenticados realizar ataques de Cross-Site Scripting (XSS) Almacenado contra administradores. The Booking Calendar plugin for WordPre... • https://wpscan.com/vulnerability/084e9494-2f9e-4420-9bf7-78a1a41433d7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33177 – WordPress Booking Calendar plugin <= 9.2.1 - Cross-Site Request Forgery (CSRF) vulnerabiulity
https://notcve.org/view.php?id=CVE-2022-33177
06 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in WPdevelop/Oplugins Booking Calendar plugin <= 9.2.1 at WordPress leading to Translations Update. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin WPdevelop/Oplugins Booking Calendar versiones anteriores a 9.2.1 incluyéndola en WordPress, conllevando a una actualización de las traducciones. The Booking Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 9.2.1. This is due to mis... • https://patchstack.com/database/vulnerability/booking/wordpress-booking-calendar-plugin-9-2-1-cross-site-request-forgery-csrf-leading-to-translations-update/_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2022-1463 – Booking Calendar <= 9.1 - PHP Object Injection via Shortcode
https://notcve.org/view.php?id=CVE-2022-1463
18 Apr 2022 — The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PHP objects on a vulnerable site. El plugin Booking Calendar para WordPress es vulnerable a una inyección de objetos PHP por medio del shortcode [bookingflextimeline] en versiones hasta la 9.1 incluyéndola. Esto podría ser explotado por usuarios de nivel de suscriptor y supe... • https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-calendar-plugin • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25040 – Booking Calendar < 8.9.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25040
06 Dec 2021 — The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting El plugin Booking Calendar de WordPress versiones anteriores a 8.9.2, no sanea y escapa del parámetro booking_type antes de devolverlo a una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/3ed821a6-c3e2-4964-86f8-d14c4a54708a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 14%CPEs: 1EXPL: 3CVE-2018-20556 – Booking Calendar <= 8.4.3 - SQL injection
https://notcve.org/view.php?id=CVE-2018-20556
28 Dec 2018 — SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter. Vulnerabilidad de inyección SQL en el plugin Booking Calendar 8.4.3 para WordPress permite que atacantes remotos ejecuten comandos SQL arbitrarios mediante el parámetro booking_id. WordPress Booking Calendar version 8.4.3 suffers from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/151692 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •