Vulnerabilities and security researches forappointment-booking-calendar appointment-booking-calendar

Jun 07, 2024

CVE, Research URL: CVE-2022-43482
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Nov 19, 2022
Research Description: Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress.
Affected versions: max 1.2.25.
Status: vulnerable

CVE, Research URL: CVE-2020-9371
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Mar 05, 2020
Research Description: Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.
Affected versions: max 1.3.35.
Status: vulnerable

CVE, Research URL: CVE-2016-10916
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Aug 22, 2019
Research Description: The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319.
Affected versions: max 1.1.24.
Status: vulnerable

CVE, Research URL: CVE-2019-14791
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Aug 09, 2019
Research Description: The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter.
Affected versions: max 1.3.19.
Status: vulnerable

CVE, Research URL: CVE-2015-7319
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Sep 30, 2015
Research Description: SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to updating the username.
Affected versions: max 1.1.8.
Status: vulnerable

CVE, Research URL: CVE-2015-7320
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Sep 30, 2015
Research Description: Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected versions: max 1.1.25.
Status: vulnerable

CVE, Research URL: CVE-2024-0856
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Mar 20, 2024
Research Description: The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.
Affected versions: max 1.3.83.
Status: vulnerable

CVE, Research URL: CVE-2020-9372
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Mar 05, 2020
Research Description: The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
Affected versions: max 1.3.35.
Status: vulnerable

Apr 23, 2025

CVE, Research URL: CVE-2025-46247
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Apr 22, 2025
Research Description: Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.92.
Affected versions: max 1.3.93.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-13317
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Nov 22, 2025
Research Description: The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations.
Affected versions: max 1.3.97.
Status: vulnerable

CVE, Research URL: CVE-2025-64261
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Nov 13, 2025
Research Description: Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.95.
Affected versions: max 1.3.96.
Status: vulnerable

Jun 14, 2026

CVE, Research URL: CVE-2025-46241
Home page URL: Security reports for Appointment Booking Calendar
Application: Appointment Booking Calendar
Date: Apr 22, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows SQL Injection.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.92.
Affected versions: max 1.3.93.
Status: vulnerable