WordPress Plugin Vulnerabilities

Booking Calendar <= 2.1.7 - Authenticated Stored XSS & CSRF

Description

The Booking calendar, Appointment Booking System WordPress plugin was affected by an Authenticated Stored XSS & CSRF security vulnerability.

Affects Plugins

Plugin icon
booking-calendar
Fixed in 2.1.8

References

CVE
CVE-2018-5670
CVE
CVE-2018-5671
CVE
CVE-2018-5672
CVE
CVE-2018-5673
URL
https://github.com/d4wner/Vulnerabilities-Report/blob/master/booking-calendar.md
URL
https://plugins.trac.wordpress.org/changeset/1802633/booking-calendar

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
813eb068-814a-4235-a3bb-07cc26eb2c67

Timeline

Publicly Published
2018-01-12 (about 8 years ago)
Added
2018-01-22 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2024-01-03
Title
Ideal Interactive Map <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-20
Title
SuevaFree Essential Kit < 1.1.4 - Contributor+ Stored XSS
Published
2025-07-16
Title
JetTabs < 2.2.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2015-05-05
Title
WordPress prettyPhoto <= 1.1 - DOM Cross-Site Scripting (XSS)
Published
2024-11-21
Title
Control horas <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting