CVSS: 10.0EPSS: 71%CPEs: 1EXPL: 1CVE-2024-1207 – Booking Calendar <= 9.9 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-1207
07 Feb 2024 — The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. El complemento WP Booking... • https://github.com/sahar042/CVE-2024-1207 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24407 – WordPress Booking calendar, Appointment Booking System plugin <= 3.2.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-24407
27 Jan 2024 — Missing Authorization vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3. The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with E... • https://patchstack.com/database/wordpress/plugin/booking-calendar/vulnerability/wordpress-booking-calendar-appointment-booking-system-plugin-3-2-3-broken-access-control?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51520 – WordPress Booking Calendar Plugin < 9.7.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51520
25 Sep 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPdevelop / Oplugins WP Booking Calendar allows Stored XSS.This issue affects WP Booking Calendar: from n/a before 9.7.4. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en WPdevelop/Oplugins WP Booking Calendar permite XSS almacenado. Este problema afecta a WP Booking Calendar: desde n/a antes de 9.7.4. The Booking Calendar plugin f... • https://patchstack.com/database/vulnerability/booking/wordpress-booking-calendar-plugin-9-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4620 – Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2023-4620
11 Sep 2023 — The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators El complemento de WordPress Booking Calendar anterior a la versión 9.7.3.1 no sanitiza ni escapa algunas de sus reservas de los datos, lo que permite a usuarios no autenticados realizar ataques de Cross-Site Scripting (XSS) Almacenado contra administradores. The Booking Calendar plugin for WordPre... • https://wpscan.com/vulnerability/084e9494-2f9e-4420-9bf7-78a1a41433d7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36384 – WordPress Booking Calendar Contact Form Plugin <= 1.2.40 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-36384
22 Jun 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions. The Booking Calendar Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dex_bccf_calendar_load2' parameter in versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user access... • https://patchstack.com/database/vulnerability/booking-calendar-contact-form/wordpress-booking-calendar-contact-form-plugin-1-2-40-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47428 – WordPress Booking calendar, Appointment Booking System Plugin <= 3.2.7 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2022-47428
19 Apr 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpDevArt Booking calendar, Appointment Booking System allows SQL Injection.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.7. La neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en WpDevArt Booking calendar, Appointment Booking System permite la inyección de SQL. Este problema afecta Booking calendar, Ap... • https://patchstack.com/database/vulnerability/booking-calendar/wordpress-booking-calendar-appointment-booking-system-plugin-3-2-6-sql-injection?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47438 – WordPress Booking calendar, Appointment Booking System Plugin <= 3.2.3 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-47438
27 Jan 2023 — Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions. The Booking calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute wheneve... • https://patchstack.com/database/vulnerability/booking-calendar/wordpress-booking-calendar-appointment-booking-system-plugin-3-2-3-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24388 – WordPress Booking calendar, Appointment Booking System Plugin <= 3.2.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-24388
27 Jan 2023 — Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions affects plugin forms actions (create, duplicate, edit, delete). The Booking calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation when creating, editing, duplicating and deleting bookings. This makes it possible for unauthenticated attackers to manipulate bookings usi... • https://patchstack.com/database/vulnerability/booking-calendar/wordpress-booking-calendar-appointment-booking-system-plugin-3-2-3-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24373 – WordPress Booking calendar, Appointment Booking System plugin <= 3.2.3 - Bypass vulnerability
https://notcve.org/view.php?id=CVE-2023-24373
27 Jan 2023 — External Control of Assumed-Immutable Web Parameter vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Manipulating Hidden Fields.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3. Control externo de la vulnerabilidad de parámetro web supuestamente inmutable en WpDevArt Booking calendar, Appointment Booking System allows Manipulating Hidden Fields. Este problema afecta a Booking calendar, Appointment Booking System: desde n/a hasta 3.2.3. The ... • https://patchstack.com/database/vulnerability/booking-calendar/wordpress-booking-calendar-appointment-booking-system-plugin-3-2-3-bypass-vulnerability?_s_id=cve • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 10.0EPSS: 90%CPEs: 1EXPL: 1CVE-2022-3982 – Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-3982
21 Nov 2022 — The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE El complemento Booking calendar, Appointment Booking System para WordPress anterior a 3.2.2 no valida los archivos cargados, lo que podría permitir a usuarios no autenticados cargar archivos arbitrarios, como PHP y lograr RCE. The Booking calendar, Appointment Booking System plugin for WordPress is vuln... • https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867 • CWE-434: Unrestricted Upload of File with Dangerous Type •