Lucene search
K

231 matches found

Cvelist
Cvelist
added yesterday22 views

CVE-2026-57388 WordPress Hydra Booking plugin <= 1.1.44 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through = 1.1.44...

7.1CVSS0.00251EPSS
Exploits0References1
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-11901 WP Hotel Booking <= 2.3.1 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via PayPal IPN Handler

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the webhookprocesspaypalstandard IPN handler selecting its PayPal validation endpoint from the attacker-controlled $REQUEST'testipn...

5.3CVSS0.00177EPSS
Exploits0References10
Patchstack
Patchstack
added 4 days ago5 views

WordPress WP Hotel Booking plugin <= 2.3.1 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by 1M4 in WordPress Plugin WP Hotel Booking versions = 2.3.1...

6.1CVSS5.9AI score0.00254EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-12433 Hydra Booking <= 1.2.1 - Authenticated (Custom+) Insecure Direct Object Reference to Sensitive Information Exposure via 'booking_id' Parameter

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS0.00435EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 5 days ago7 views

CVE-2026-12433

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS5.9AI score0.00435EPSS
Exploits0References11
Patchstack
Patchstack
added 2026/07/01 8:2 p.m.5 views

WordPress LatePoint – Calendar Booking Plugin for Appointments and Events plugin <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation vulnerability

Unauthenticated Insecure Direct Object Reference to Arbitrary Creation vulnerability discovered by gidget smith in WordPress Plugin LatePoint versions = 5.6.2...

5.3CVSS5.8AI score0.00381EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/07/01 8:30 a.m.6 views

EUVD-2026-40938

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

6.5CVSS5.8AI score0.00361EPSS
Exploits0References6
NVD
NVD
added 2026/06/30 7:16 a.m.12 views

CVE-2026-9576

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested groupid before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII name, email, phone, address, payment information from...

4.9CVSS0.00234EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/06/26 1:53 p.m.6 views

WordPress Eagle Booking plugin <= 1.3.4.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Bonds in WordPress Plugin Eagle Booking versions = 1.3.4.3...

8.8CVSS5.8AI score0.00143EPSS
Exploits0Affected Software1
Patchstack
Patchstack
added 2026/06/26 12:30 p.m.5 views

WordPress Fluent Booking plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Tarcísio LuchesiPoystick in WordPress Plugin Fluent Booking versions = 2.1.0...

6.5CVSS5.8AI score0.00161EPSS
Exploits0Affected Software1
NVD
NVD
added 2026/06/15 9:16 p.m.7 views

CVE-2026-39587

Unauthenticated Privilege Escalation in WP BASE Booking = 5.9.0 versions...

8.1CVSS0.00283EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/09 11:48 a.m.32 views

CVE-2017-20243 WordPress Car Park Booking Plugin SQL Injection via space_id

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the spaceid parameter. Attackers can send GET requests to the booking-page endpoint with...

8.8CVSS0.00262EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.11 views

WordPress plugin Car Park Booking Plugin 13 October SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

8.8CVSS5.8AI score0.00262EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/28 7:43 a.m.11 views

EUVD-2026-32747

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointmen...

5.3CVSS5.9AI score0.00561EPSS
Exploits0References11
NVD
NVD
added 2026/05/27 2:16 a.m.18 views

CVE-2026-7493

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint /wp-json/ssa/v1/async that calls PHP's sleep function on a...

5.3CVSS0.0035EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/27 1:26 a.m.36 views

CVE-2026-7493 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.11.5 - Unauthenticated Denial of Service

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint /wp-json/ssa/v1/async that calls PHP's sleep function on a...

5.3CVSS0.0035EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.7 views

VulnCheck KEV: CVE-2026-2931

The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...

8.8CVSS7.4AI score0.00382EPSS
In wildExploits0References2
Cvelist
Cvelist
added 2026/04/14 3:37 a.m.31 views

CVE-2026-1607 Surbma | Booking.com <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

6.4CVSS0.00152EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/14 3:37 a.m.2 views

CVE-2026-1607

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

6.4CVSS5.9AI score0.00152EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.7 views

WordPress plugin Surbma | Booking.com Shortcode 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.4CVSS5.7AI score0.00152EPSS
Exploits0References2
Rows per page
Query Builder