86 matches found
WordPress Booking Package plugin <= 1.7.20 - Unauthenticated SQL Injection vulnerability
Unauthenticated SQL Injection vulnerability discovered by PRISM in WordPress Plugin Booking Package versions = 1.7.20...
CVE-2026-15335
The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter form in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
CVE-2026-15335
The Booking Package WordPress plugin is vulnerable up to version 1.7.20 due to insufficient escaping on the email parameter in the REST endpoint /wp-json/booking-package/v1/request, allowing unauthenticated SQL injection. Root cause: user-supplied email input reaches the SQL sink without proper e...
EUVD-2026-43143
The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter form in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
CVE-2026-15335 Booking Package <= 1.7.20 - Unauthenticated SQL Injection via 'email' Form Parameter
The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter form in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
PT-2026-57393
Name of the Vulnerable Software and Affected Versions Booking Package versions prior to 1.7.21 Description Insufficient escaping of user-supplied parameters and lack of preparation in SQL queries allow unauthenticated attackers to perform SQL Injection. This occurs via the email parameter in the...
EUVD-2026-36983
Unauthenticated Broken Access Control in Booking Package = 1.7.06 versions...
CVE-2026-40774
Unauthenticated Broken Access Control in Booking Package = 1.7.06 versions...
CVE-2026-40774 WordPress Booking Package plugin <= 1.7.06 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Booking Package = 1.7.06 versions...
CVE-2026-40774
CVE-2026-40774 concerns the WordPress Booking Package plugin (versions
CVE-2026-40774 WordPress Booking Package plugin <= 1.7.06 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Booking Package = 1.7.06 versions...
PT-2026-49418
Unauthenticated Broken Access Control in Booking Package = 1.7.06 versions...
WordPress Booking Package plugin <= 1.7.16 - Authenticated (Editor+) Privilege Escalation vulnerability
Authenticated Editor+ Privilege Escalation vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Booking Package versions = 1.7.16...
CVE-2026-9851
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the packageappaction AJAX endpoint, where the handler only validates a nonce and th...
CVE-2026-9851
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the packageappaction AJAX endpoint, where the handler only validates a nonce and th...
CVE-2026-9851
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the packageappaction AJAX endpoint, where the handler only validates a nonce and th...
CVE-2026-9851 Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the packageappaction AJAX endpoint, where the handler only validates a nonce and th...
CVE-2026-9851 Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the packageappaction AJAX endpoint, where the handler only validates a nonce and th...
EUVD-2026-34961
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the packageappaction AJAX endpoint, where the handler only validates a nonce and th...
CVE-2026-9851
The CVE-2026-9851 entry concerns the Booking Package plugin for WordPress (versions up to 1.7.16). The vulnerability arises from a missing capability check in the updateUser branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and Schedule::updateUser() is invo...