Booking Calendar < 10.14.14 – Missing Authorization to Unauthenticated Booking Details Exposure | CVE 2026-1431 | Plugin Vulnerabilities

Description

The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails.

Affects Plugins

Fixed in 10.14.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

1b1d0c78-1a1a-45e9-8bba-ad0bc78082b8

Timeline

Publicly Published

2026-01-30 (about 4 months ago)

Added

2026-01-30 (about 4 months ago)

Last Updated

2026-01-31 (about 4 months ago)

Other

Published

Title

Published

2023-10-06

Title

Contact Form builder with drag & drop - Kali Forms < 2.3.29 - Missing Authorization via get_log

Published

2026-03-06

Title

Youtube Embed Plus < 14.2.5 - Missing Authorization

Published

2025-06-19

Title

Zapier for WordPress < 1.5.3 - Missing Authorization

Published

2024-02-05

Title

Advanced Forms for ACF < 1.9.3.3 - Missing Authorization to Unauthenticated Form Settings Export

Published

2024-08-27

Title

Permalink Manager Lite < 2.4.4.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure