Vulnerabilities and security researches forbooking-package booking-package

Jun 06, 2024

CVE, Research URL: CVE-2021-20840
Home page URL: Security reports for Booking Package
Application: Booking Package
Date: Nov 24, 2021
Research Description: Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors.
Affected versions: max 1.5.11.
Status: vulnerable

CVE, Research URL: CVE-2022-0709
Home page URL: Security reports for Booking Package
Application: Booking Package
Date: Apr 04, 2022
Research Description: The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability.
Affected versions: max 1.5.99.
Status: vulnerable

CVE, Research URL: CVE-2023-37389
Home page URL: Security reports for Booking Package
Application: Booking Package
Date: May 17, 2024
Research Description: Improper Privilege Management vulnerability in SAASPROJECT Booking Package Booking Package allows Privilege Escalation.This issue affects Booking Package: from n/a through 1.5.98.
Affected versions: max 1.5.99.
Status: vulnerable

CVE, Research URL: CVE-2023-39918
Home page URL: Security reports for Booking Package
Application: Booking Package
Date: Sep 04, 2023
Research Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SAASPROJECT Booking Package Booking Package plugin <= 1.6.01 versions.
Affected versions: max 1.6.02.
Status: vulnerable

CVE, Research URL: CVE-2024-30516
Home page URL: Security reports for Booking Package
Application: Booking Package
Date: Jan 05, 2026
Research Description: Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27.
Affected versions: max 1.6.29.
Status: vulnerable

Feb 20, 2025

CVE, Research URL: CVE-2024-13508
Home page URL: Security reports for Booking Package
Application: Booking Package
Date: Feb 19, 2025
Research Description: The Booking Package plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the locale parameter in all versions up to, and including, 1.6.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 1.6.73.
Status: vulnerable

Apr 29, 2026

CVE, Research URL: CVE-2026-4911
Home page URL: Security reports for Booking Package
Application: Booking Package
Date: Apr 28, 2026
Research Description: The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.
Affected versions: max 1.7.07.
Status: vulnerable