Plugin icon

Booking Calendar

booking

Vulnerabilities:

27

Last Updated:

May 9, 2026

Active Installs:

50000

Published
Title
Fixed in
CVSS
Published
2026-02-17
Title
Booking Calendar < 10.14.15 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification
Fixed in
Fixed in 10.14.15
CVSS
4.3 (medium)
Published
2026-02-14
Title
Booking Calendar < 10.14.16 - Authenticated (Editor+) SQL Injection
Fixed in
Fixed in 10.14.16
CVSS
4.9 (medium)
Published
2026-01-30
Title
Booking Calendar < 10.14.14 - Missing Authorization to Unauthenticated Booking Details Exposure
Fixed in
Fixed in 10.14.14
CVSS
5.3 (medium)
Published
2026-01-15
Title
Booking Calendar < 10.14.12 - Missing Authorization to Sensitive Information Exposure
Fixed in
Fixed in 10.14.12
CVSS
4.3 (medium)
Published
2026-01-08
Title
Booking Calendar < 10.14.11 - Unauthenticated Sensitive Information Exposure
Fixed in
Fixed in 10.14.11
CVSS
5.3 (medium)
Published
2025-12-15
Title
Booking Calendar < 10.14.9 - Unauthenticated SQL Injection via dates_to_check
Fixed in
Fixed in 10.14.9
CVSS
7.5 (high)
Published
2025-12-04
Title
Booking Calendar < 10.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bookingcalendar Shortcode
Fixed in
Fixed in 10.14.7
CVSS
6.4 (medium)
Published
2025-11-13
Title
Booking Calendar < 10.14.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Fixed in
Fixed in 10.14.8
CVSS
6.4 (medium)
Published
2025-08-27
Title
Booking Calendar < 10.14.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Fixed in
Fixed in 10.14.2
CVSS
6.4 (medium)
Published
2025-05-16
Title
Booking Calendar < 10.11.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpbc Shortcode
Fixed in
Fixed in 10.11.2
CVSS
6.4 (medium)
Published
2025-02-11
Title
WP Booking Calendar < 10.10.1 - Unauthenticated Post-Confirmation Booking Manipulation
Fixed in
Fixed in 10.10.1
CVSS
5.3 (medium)
Published
2025-01-13
Title
Booking Calendar < 10.9.3 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'booking' Shortcode
Fixed in
Fixed in 10.9.3
CVSS
6.4 (medium)
Published
2024-11-12
Title
WP Booking Calendar < 10.6.5 - Admin+ Stored XSS
Fixed in
Fixed in 10.6.5
CVSS
3.5 (low)
Published
2024-10-17
Title
WP Booking Calendar < 10.6.3 - Admin+ Stored XSS
Fixed in
Fixed in 10.6.3
CVSS
3.5 (low)
Published
2024-10-03
Title
WP Booking Calendar < 10.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Fixed in
Fixed in 10.6.1
CVSS
4.4 (medium)
Published
2024-08-29
Title
WP Booking Calendar < 10.5.1 - Reflected Cross-Site Scripting
Fixed in
Fixed in 10.5.1
CVSS
6.1 (medium)
Published
2024-07-23
Title
WP Booking Calendar < 10.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via bookingform Shortcode
Fixed in
Fixed in 10.2.2
CVSS
6.4 (medium)
Published
2024-02-07
Title
Booking Calendar < 9.9.1 - Unauthenticated SQL Injection
Fixed in
Fixed in 9.9.1
CVSS
9.8 (critical)
Published
2023-09-25
Title
Booking Calendar < 9.7.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Fixed in
Fixed in 9.7.4
CVSS
6.4 (medium)
Published
2023-09-11
Title
Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS
Fixed in
Fixed in 9.7.3.1
CVSS
8.8 (high)
Published
2022-09-06
Title
Booking Calendar < 9.2.2 - Arbitrary Translation Update via CSRF
Fixed in
Fixed in 9.2.2
CVSS
5.4 (medium)
Published
2022-04-27
Title
Booking Calendar < 9.1.1 - PHP Object Injection
Fixed in
Fixed in 9.1.1
CVSS
8.1 (high)
Published
2021-12-06
Title
Booking Calendar < 8.9.2 - Reflected Cross-Site Scripting
Fixed in
Fixed in 8.9.2
CVSS
7.5 (high)
Published
2019-02-14
Title
Booking < 8.4.5.15 - SQL Injection
Fixed in
Fixed in 8.4.5.15
CVSS
8.8 (high)
Published
2016-08-01
Title
Booking Calendar <= 6.2 - SQL Injection
Fixed in
Fixed in 6.2.1
CVSS
n/a
Published
2016-08-01
Title
Booking Calendar <= 6.2 - Reflected Cross-Site Scripting (XSS)
Fixed in
Fixed in 6.2.1
CVSS
n/a
Published
2014-08-01
Title
Booking Calendar <= 4.1.5 - Cross-Site Request Forgery (CSRF)
Fixed in
Fixed in 4.1.6
CVSS
n/a