WordPress Plugin Vulnerabilities

Booking Calendar < 9.2.2 - Arbitrary Translation Update via CSRF

Description

The plugin does not have CSRF check when updating translations, which could allow attackers to make logged in users update arbitrary translations via a CSRF attack

Affects Plugins

Plugin icon
booking
Fixed in 9.2.2

References

CVE
CVE-2022-33177

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
dca1ddf5-c3c3-4d60-9e92-fa01bdc55e1c

Timeline

Publicly Published
2022-09-06 (about 3 years ago)
Added
2022-09-06 (about 3 years ago)
Last Updated
2022-09-06 (about 3 years ago)

Other

Published
Title
Published
2025-10-21
Title
Stockie Extra < 1.2.12 - Cross-Site Request Forgery
Published
2026-05-11
Title
WP-Redirection <= 1.0.3 - Cross-Site Request Forgery to Settings Update
Published
2023-07-10
Title
Buy Me a Coffee – Button and Widget Plugin < 3.8 - Cross-Site Request Forgery
Published
2025-10-29
Title
Popup box < 5.5.5 - Cross-Site Request Forgery
Published
2022-09-21
Title
FavIcon Switcher <= 1.2.11 - Arbitrary Settings Change via CSRF