Booking Security Vulnerabilities
Cross Site Scripting (XSS) vulnerability in Booking Core - Ultimate Booking System Booking Core 1.7.0 via the (1) "About Yourself” section under the “My Profile” page, " (2) “Hotel Policy” field under the “Hotel Details” page, (3) “Pricing code” and “name” fields under the “Manage Tour” page, and.....
5.4CVSS
5.3AI Score
0.001EPSS
The “Subscribe” feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are...
7.8CVSS
7.7AI Score
0.001EPSS
Cross Site Request Forgery (CSRF) vulnerability in Booking Core - Ultimate Booking System Booking Core 1.7.0 . The CSRF token is not being validated when the request is sent as a GET method. This results in an unauthorized change in the user's email ID, which can later be used to reset the...
6.5CVSS
6.6AI Score
0.001EPSS
The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will...
6.1CVSS
5.8AI Score
0.001EPSS
The Advanced Booking Calendar WordPress plugin before 1.6.8 does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting...
5.4CVSS
5.2AI Score
0.001EPSS
The Advanced Booking Calendar WordPress plugin before 1.6.7 did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS...
5.4CVSS
5.2AI Score
0.001EPSS
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in...
9.8CVSS
9.8AI Score
0.011EPSS
Online Bus Booking System Project Using PHP/MySQL version 1.0 has SQL injection via the login page. By placing SQL injection payload on the login page attackers can bypass the authentication and can gain the admin...
9.8CVSS
10AI Score
0.007EPSS
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to...
9.8CVSS
9.8AI Score
0.002EPSS
In SourceCodester Online Bus Booking System 1.0, there is Authentication bypass on the Admin Login screen in admin.php via username or password SQL...
9.8CVSS
10AI Score
0.002EPSS
In SourceCodester Online Bus Booking System 1.0, there is XSS through the name parameter in...
6.1CVSS
5.9AI Score
0.001EPSS
Online Hotel Booking System Pro PHP Version 1.3 has Persistent Cross-site Scripting in Customer registration-form...
5.4CVSS
5.5AI Score
0.001EPSS
Etoile Web Design Ultimate Appointment Booking & Scheduling WordPress Plugin v1.1.9 and lower does not sanitize the value of the "Appointment_ID" GET parameter before echoing it back out inside an input tag. This results in a reflected XSS vulnerability that attackers can exploit with a specially.....
6.1CVSS
6AI Score
0.001EPSS
An issue was discovered in the bestsoftinc Hotel Booking System Pro plugin through 1.1 for WordPress. Persistent XSS can occur via any of the registration...
6.1CVSS
5.9AI Score
0.003EPSS
Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or...
4.8CVSS
5AI Score
0.004EPSS
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve....
7.8CVSS
8AI Score
0.011EPSS
The booking-system plugin before 2.1 for WordPress has DOPBSPBackEndTranslation::display SQL injection via the language...
8.8CVSS
9.1AI Score
0.001EPSS
The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl...
6.1CVSS
6.3AI Score
0.001EPSS
The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than...
9.8CVSS
9.5AI Score
0.001EPSS
6.1CVSS
6.4AI Score
0.001EPSS
9.8CVSS
9.9AI Score
0.001EPSS
6.1CVSS
6.4AI Score
0.001EPSS
The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea...
6.1CVSS
6AI Score
0.001EPSS
The Appointment Hour Booking plugin 1.1.44 for WordPress allows XSS via the E-mail field, as demonstrated by...
6.1CVSS
6AI Score
0.001EPSS
Cross-site request forgery (CSRF) vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified...
8.8CVSS
8.8AI Score
0.003EPSS
Cross-site scripting vulnerability in Online Lesson Booking 0.8.6 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified...
6.1CVSS
6.8AI Score
0.002EPSS
SQL injection exists in Scriptzee Hotel Booking Engine 1.0 via the hotels h_room_type...
9.8CVSS
9.8AI Score
0.003EPSS
An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2...
6.1CVSS
6AI Score
0.001EPSS
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative...
7.2CVSS
7.4AI Score
0.002EPSS
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id...
8.8CVSS
9.1AI Score
0.081EPSS
PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png...
5.3CVSS
5.3AI Score
0.001EPSS
PHP Scripts Mall PHP Appointment Booking Script 3.0.3 allows HTML injection in a user...
5.4CVSS
5.7AI Score
0.001EPSS
PHP Scripts Mall hotel-booking-script 2.0.4 allows XSS via the First Name, Last Name, or Address...
5.4CVSS
5.3AI Score
0.001EPSS
PHP Scripts Mall hotel-booking-script 2.0.4 allows remote attackers to cause a denial of service via crafted JavaScript code in the First Name, Last Name, or Address...
6.5CVSS
6.6AI Score
0.002EPSS
An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Multiple parameters allow remote attackers to manipulate the values to change data such as...
7.5CVSS
7.5AI Score
0.002EPSS
Cross-site scripting vulnerability in MTS Simple Booking C, MTS Simple Booking Business version 1.28.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified...
6.1CVSS
6AI Score
0.001EPSS
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label]...
4.8CVSS
4.9AI Score
0.001EPSS
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent]...
4.8CVSS
4.9AI Score
0.001EPSS
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via...
8.8CVSS
8.6AI Score
0.002EPSS
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][]...
4.8CVSS
4.9AI Score
0.001EPSS
PHPJabbers Night Club Booking Software has stored XSS in the name parameter in the reservations...
6.1CVSS
5.9AI Score
0.001EPSS
The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication -...
6.1CVSS
5.9AI Score
0.001EPSS
9.8CVSS
9.8AI Score
0.002EPSS
Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the trailer-detail.php moid parameter, show-time.php moid parameter, or event-detail.php eid...
9.8CVSS
9.9AI Score
0.002EPSS
Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q...
9.8CVSS
9.9AI Score
0.002EPSS
9.8CVSS
9.9AI Score
0.003EPSS
9.8CVSS
9.9AI Score
0.002EPSS
Chartered Accountant Booking Script 1.0 has SQL Injection via the /service-list city...
9.8CVSS
9.9AI Score
0.002EPSS
Entrepreneur Bus Booking Script 3.0.4 has SQL Injection via the booker_details.php sourcebus...
9.8CVSS
9.9AI Score
0.002EPSS
Beauty Parlour Booking Script 1.0 has SQL Injection via the /list gender or city...
9.8CVSS
9.9AI Score
0.002EPSS