CVE-2026-9851

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the packageappaction AJAX endpoint, where the handler only validates a nonce and th...

EUVD-2026-34961

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the packageappaction AJAX endpoint, where the handler only validates a nonce and th...

PT-2026-47145

The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package app action AJAX endpoint, where the handler only validates a nonce and...

EUVD-2026-26006

The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe function passing user-controlled $POST'amount' directly to the Stripe PaymentIntent API without validation, and the commitStripe function ignori...

CVE-2022-0709

The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability...

EUVD-2023-43616

Malicious code in bioql PyPI...

CVE-2024-13508

The Booking Package plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the locale parameter in all versions up to, and including, 1.6.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-13508 Booking Package <= 1.6.72 - Reflected Cross-Site Scripting via Locale Parameter

The Booking Package plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the locale parameter in all versions up to, and including, 1.6.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-13508

CVE-2024-13508 affects Booking Package for WordPress. It enables a Reflected Cross-Site Scripting (XSS) via the locale parameter in all versions up to and including 1.6.72 due to insufficient input sanitization/output escaping. The vulnerability is unauthenticated and can be triggered when a user...

CVE-2023-39918

CVE-2023-39918 affects the SAASPROJECT Booking Package WordPress plugin (versions

WordPress Booking Package plugin <= 1.5.10 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Gen Sato Mitsui Bussan Secure Directions, Inc in WordPress Booking Package plugin versions = 1.5.10. Solution Update the WordPress Booking Package plugin to the latest available version at least 1.5.11...