CVE-2026-8684 MotoPress Hotel Booking <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary Booking Notes Modification via mphb_update_booking_notes AJAX Action

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or...

CVE-2026-8684

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or...

WordPress Smart Appointment & Booking plugin <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation vulnerability

Missing Authorization to Unauthenticated Arbitrary Booking Cancellation vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Smart Appointment & Booking versions = 1.0.8...

WordPress Booking Calendar Contact Form plugin <= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dex_bccf_ipn' Parameter vulnerability

Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dexbccfipn' Parameter vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Booking Calendar Contact Form versions = 1.2.60...

WordPress Appointment Booking Calendar plugin <= 1.3.96 - Missing Authorization to Arbitrary Booking Confirmation via 'cpabc_ipncheck' Parameter vulnerability

Missing Authorization to Arbitrary Booking Confirmation via 'cpabcipncheck' Parameter vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Appointment Booking Calendar versions = 1.3.96...

CVE-2024-4665 EventPrime – Events Calendar, Bookings and Tickets < 3.5.0 - Subscriber+ Arbitrary booking settings update

The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Additionally, the feature is lacking a nonce...

CVE-2023-1129 WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...

CVE-2023-1129 WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...

WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR

The plugin does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users. 1. Book or cancel booking an event using an authenticated user. 2. Intercept the request using an HTTP Pro...

WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR

The plugin does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users. PoC 1. Book or cancel booking an event using an authenticated user. 2. Intercept the request using an HTTP...

CVE-2021-24318

The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector...

Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities

The theme did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector. PoC -- PoC 1 | Authenticated IDOR | Permanent post/page deletion: !...