WordPress Plugin Vulnerabilities

Booking Calendar < 10.14.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 10.14.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
booking
Fixed in 10.14.8

References

CVE
CVE-2025-64381
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c44b7ded-e67d-4185-92de-78a82f409333

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
12ed81fd-bac2-44a3-98e7-68cd9105385e

Timeline

Publicly Published
2025-11-13 (about 6 months ago)
Added
2025-11-17 (about 5 months ago)
Last Updated
2025-11-17 (about 5 months ago)

Other

Published
Title
Published
2024-05-17
Title
WP Stacker <= 1.8.5 - Stored XSS via CSRF
Published
2025-04-01
Title
Hyperlink Group Block < 2.0.2 - Contributor+ Stored XSS
Published
2024-08-04
Title
Cooked – Recipe Management < 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-04-01
Title
ShopCred <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-05-07
Title
N360 | Splash Screen < 1.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting