Booking Calendar < 10.14.11 – Unauthenticated Sensitive Information Exposure | CVE 2025-14146 | Plugin Vulnerabilities

Description

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details.

Affects Plugins

Fixed in 10.14.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/281a1c0e-bbd8-4cf6-94ca-b888c7d7e3af

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Filippo Decortes

Verified

No

WPVDB ID

43d0c55c-32d1-4e30-8f09-f81e01f3dca0

Timeline

Publicly Published

2026-01-08 (about 4 months ago)

Added

2026-01-08 (about 4 months ago)

Last Updated

2026-01-09 (about 4 months ago)

Other

Published

Title

Published

2024-12-30

Title

Data Tables Generator by Supsystic < 1.10.37 - Missing Authorization

Published

2025-05-07

Title

Calculate Prices based on Distance For WooCommerce < 1.3.6 - Missing Authorization

Published

2024-01-08

Title

MailerLite – WooCommerce integration < 2.0.9 - Missing Authorization via Multiple Functions

Published

2025-04-22

Title

wProject < 5.8.0 - Missing Authorization to Unauthenticated Content Modification and Deletion

Published

2025-11-29

Title

Notification for Telegram < 3.5.2 - Missing Authorization