CVE-2024-50425 – WordPress WP Booking System – Booking Calendar plugin <= 2.0.19.10 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-50425
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Veribo, Roland Murg WP Booking System.This issue affects WP Booking System: from n/a through 2.0.19.10. La vulnerabilidad de autorización faltante en Mondula GmbH Multi Step Form permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Multi Step Form: desde n/a hasta 1.7.21. The WP Booking System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpbs_refresh_calendar_editor function in versions up to, and including, 2.0.19.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify calendars. • https://patchstack.com/database/vulnerability/wp-booking-system/wordpress-wp-booking-system-plugin-2-0-19-10-broken-access-control-vulnerability?_s_id=cve • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere CWE-862: Missing Authorization •
CVE-2023-49758 – WP Booking System <= 2.0.19.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-49758
The WP Booking System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpbs_save_calendar_data function in versions up to, and including, 2.0.19.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to save calendar data. • CWE-862: Missing Authorization •
CVE-2023-24402 – WordPress WP Booking System Plugin <= 2.0.18 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-24402
Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Veribo, Roland Murg WP Booking System – Booking Calendar plugin <= 2.0.18 versions. The WP Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/wp-booking-system/wordpress-wp-booking-system-booking-calendar-plugin-2-0-18-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-25061 – WP Booking System – Booking Calendar < 2.0.15 - Authenticated Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-25061
The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page. El plugin WP Booking System de WordPress versiones anteriores a 2.0.15, estaba afectado por un ataque de tipo XSS reflejado en wp-booking-system en la página de administración wpbs-calendars • https://plugins.trac.wordpress.org/changeset/2643776/wp-booking-system https://wpscan.com/vulnerability/bd9dc754-08a4-4bfc-8dda-3f5c0e070f7e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12239 – WP Booking System Free version < 1.5.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-12239
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access. El WP Booking System 1.5.1 en WordPress no tiene protección contra CSRF, lo que permite a los atacantes generar ciertos problemas de inyección SQL que requiere de acceso administrativo. • http://dumpco.re/bugs/wp-plugin-wp-booking-system-sqli https://wordpress.org/plugins/wp-booking-system/#developers https://wpvulndb.com/vulnerabilities/9284 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-352: Cross-Site Request Forgery (CSRF) •