CVSS: 10.0EPSS: 71%CPEs: 1EXPL: 1CVE-2024-1207 – Booking Calendar <= 9.9 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-1207
07 Feb 2024 — The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. El complemento WP Booking... • https://github.com/sahar042/CVE-2024-1207 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51520 – WordPress Booking Calendar Plugin < 9.7.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51520
25 Sep 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPdevelop / Oplugins WP Booking Calendar allows Stored XSS.This issue affects WP Booking Calendar: from n/a before 9.7.4. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en WPdevelop/Oplugins WP Booking Calendar permite XSS almacenado. Este problema afecta a WP Booking Calendar: desde n/a antes de 9.7.4. The Booking Calendar plugin f... • https://patchstack.com/database/vulnerability/booking/wordpress-booking-calendar-plugin-9-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4620 – Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2023-4620
11 Sep 2023 — The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators El complemento de WordPress Booking Calendar anterior a la versión 9.7.3.1 no sanitiza ni escapa algunas de sus reservas de los datos, lo que permite a usuarios no autenticados realizar ataques de Cross-Site Scripting (XSS) Almacenado contra administradores. The Booking Calendar plugin for WordPre... • https://wpscan.com/vulnerability/084e9494-2f9e-4420-9bf7-78a1a41433d7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33177 – WordPress Booking Calendar plugin <= 9.2.1 - Cross-Site Request Forgery (CSRF) vulnerabiulity
https://notcve.org/view.php?id=CVE-2022-33177
06 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in WPdevelop/Oplugins Booking Calendar plugin <= 9.2.1 at WordPress leading to Translations Update. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin WPdevelop/Oplugins Booking Calendar versiones anteriores a 9.2.1 incluyéndola en WordPress, conllevando a una actualización de las traducciones. The Booking Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 9.2.1. This is due to mis... • https://patchstack.com/database/vulnerability/booking/wordpress-booking-calendar-plugin-9-2-1-cross-site-request-forgery-csrf-leading-to-translations-update/_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •