- Published on
-
Apr 28, 2026
- Research Description
-
Booking and reservation plugins operate across a sensitive boundary between public form submission, calendar availability, customer-provided booking data, admin-side reservation management, and in some configurations external calendar synchronization. These plugins often process names, contact details, selected dates, time slots, service requests, event information, and notification templates, while also controlling whether a date or resource can be booked. A weakness in this class of plugin can lead to stored XSS through booking fields, unauthorized booking manipulation, information disclosure through request listings, CSRF against administrators, double-booking logic abuse, or unsafe synchronization behavior. Booking Calendar version 10.15.6 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64650, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for booking, appointment, reservation, calendar, and form-management plugins.
- Affected versions
-
Min 10.15.6,
max 10.15.6.
Plugin Security Certification
Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Get Plugin Security Certificate
| Previous vulnerability researches |
|
Course Booking Platform
(CVE-2025-58887)
, Sep 07, 2025
|
|
Booking Weir
(2e61817c8a383fba887267b21f5423e453a335d3)
, Jun 07, 2024
|
|
Booking Calendar – Clockwork SMS
(CVE-2017-17780)
, Jun 07, 2024
|
|
Booking Calendar – Clockwork SMS
(CVE-2017-18555)
, Jun 07, 2024
|
|
WP Booking
(CVE-2024-35297)
, Jun 07, 2024
|
| New vulnerability |
|
Booking Package
(CVE-2026-4911)
, Apr 29, 2026
|
|
Templately – Gutenberg & Elementor Template Library: 5000+ Free & Pro Ready Templates & Cloud!
(CVE-2026-42379)
, Apr 28, 2026
|
|
WPIDE – File Manager & Code Editor
, Apr 28, 2026
|
|
UiCore Animate
, Apr 28, 2026
|
|
WP Booking Calendar
, Apr 28, 2026
|