Vulnerabilities and security researches forbooking-calendar booking-calendar

Direction: descending

Mar 29, 2026

Booking calendar, Appointment Booking System # CVE-2026-25435

CVE, Research URL: CVE-2026-25435
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Mar 25, 2026
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.36.
Affected versions: max 3.2.36.
Status: vulnerable

Dec 10, 2025

Booking calendar, Appointment Booking System # CVE-2025-67574

CVE, Research URL: CVE-2025-67574
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Dec 09, 2025
Research Description: Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.30.
Affected versions: max 3.2.30.
Status: vulnerable

Jan 08, 2025

Booking calendar, Appointment Booking System # CVE-2024-12077

CVE, Research URL: CVE-2024-12077
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Jan 07, 2025
Research Description: The Booking Calendar and Booking Calendar Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘calendar_id’ parameter in all versions up to, and including, 3.2.19 and 11.2.19 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 3.2.20.
Status: vulnerable

Dec 25, 2024

Booking calendar, Appointment Booking System # CVE-2024-10856

CVE, Research URL: CVE-2024-10856
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Dec 24, 2024
Research Description: The Booking Calendar WpDevArt plugin is vulnerable to time-based, blind SQL injection via the `id` parameter in the “wpdevart_booking_calendar” shortcode in versions up to, and including, 3.2.19 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. The vulnerability requires the “delete_prev_date” theme option being enabled. This makes it possible for authenticated attackers, with contributor-level access or above, to append additional SQL queries into already existing query that can be used to extract sensitive information such as passwords from the database.
Affected versions: max 3.2.20.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2023-24407

CVE, Research URL: CVE-2023-24407
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Dec 09, 2024
Research Description: Missing Authorization vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3.
Affected versions: max 3.2.4.
Status: vulnerable

Nov 27, 2024

Booking calendar, Appointment Booking System # CVE-2024-9504

CVE, Research URL: CVE-2024-9504
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Nov 26, 2024
Research Description: The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Affected versions: max 3.2.16.
Status: vulnerable

Jun 07, 2024

Booking calendar, Appointment Booking System # CVE-2018-5671

CVE, Research URL: CVE-2018-5671
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Jan 13, 2018
Research Description: An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent] parameter.
Affected versions: max 2.1.8.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2018-5672

CVE, Research URL: CVE-2018-5672
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Jan 13, 2018
Research Description: An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label] parameter.
Affected versions: max 2.1.8.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2018-5673

CVE, Research URL: CVE-2018-5673
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Jan 13, 2018
Research Description: An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.
Affected versions: max 2.1.8.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2023-24388

CVE, Research URL: CVE-2023-24388
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Feb 17, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions affects plugin forms actions (create, duplicate, edit, delete).
Affected versions: max 3.2.4.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2022-47428

CVE, Research URL: CVE-2022-47428
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Nov 06, 2023
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpDevArt Booking calendar, Appointment Booking System allows SQL Injection.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.7.
Affected versions: max 3.2.12.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2022-47438

CVE, Research URL: CVE-2022-47438
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Mar 29, 2023
Research Description: Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions.
Affected versions: max 3.2.4.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2018-10363

CVE, Research URL: CVE-2018-10363
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Jun 13, 2018
Research Description: An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Multiple parameters allow remote attackers to manipulate the values to change data such as prices.
Affected versions: max 2.2.3.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2018-5670

CVE, Research URL: CVE-2018-5670
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Jan 13, 2018
Research Description: An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.
Affected versions: max 2.1.8.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2022-3982

CVE, Research URL: CVE-2022-3982
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Dec 12, 2022
Research Description: The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
Affected versions: max 3.2.2.
Status: vulnerable

Booking calendar, Appointment Booking System # CVE-2023-24373

CVE, Research URL: CVE-2023-24373
Home page URL: Security reports for Booking calendar, Appointment Booking System
Application: Booking calendar, Appointment Booking System
Date: Jun 04, 2024
Research Description: External Control of Assumed-Immutable Web Parameter vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Manipulating Hidden Fields.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3.
Affected versions: max 3.2.4.
Status: vulnerable