Lucene search
+L

7373 matches found

Nuclei
Nuclei
added yesterday29 views

WP Hotel Booking < 1.10.4 - PHP Object Injection

The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpresshotelbooking1 cookie in load in includes/class-wphb-sessions.php. id: CVE-2020-29047 info: name: WP Hotel Booking 1.10.4 - PHP Object...

9.8CVSS9.1AI score0.16017EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday118 views

WordPress Booking Calendar <3.2.2 - Arbitrary File Upload

WordPress Booking Calendar plugin before 3.2.2 is susceptible to arbitrary file upload possibly leading to remote code execution. The plugin does not validate uploaded files, which can allow an attacker to upload arbitrary files, such as PHP, and potentially obtain sensitive information, modify...

9.8CVSS9.1AI score0.04493EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday30 views

ND Booking < 2.5 - Unauthenticated Options Change

The Hotel Booking WordPress plugin ND Booking 2.5 was affected by an Unauthenticated Options Change security vulnerability. id: CVE-2019-15774 info: name: ND Booking 2.5 - Unauthenticated Options Change author: popcorn94 severity: medium description: | The Hotel Booking WordPress plugin ND Bookin...

6.1CVSS6.1AI score0.01731EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday36 views

WordPress Advanced Booking Calendar <1.7.1 - Cross-Site Scripting

WordPress Advanced Booking Calendar plugin before 1.7.1 contains a cross-site scripting vulnerability. It does not sanitize and escape the room parameter before outputting it back in an admin page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of th...

6.1CVSS6AI score0.01618EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday13 views

WP BASE Booking - Reflected XSS

WP BASE Booking of Appointments, Services and Events WordPress plugin 5.0.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to...

6.1CVSS8.1AI score0.00573EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday86 views

Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server id: CVE-2023-5991 info: name: Hotel Booking...

9.8CVSS8.6AI score0.03313EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday88 views

PHP Jabbers Night Club Booking 1.0 - Cross Site Scripting

A vulnerability was found in PHP Jabbers Night Club Booking Software 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack may be initiated remotely. The identifier...

6.1CVSS3.3AI score0.05109EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday46 views

Sourcecodester Online Event Booking and Reservation System 2.3.0 - Cross-Site Scripting

Sourcecodester Online Event Booking and Reservation System 2.3.0 contains a cross-site scripting vulnerability in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clic...

4.3CVSS4.8AI score0.03792EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday49 views

TrueBooker <= 1.0.2 - SQL Injection

The TrueBooker Appointment Booking and Scheduler Plugin. plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

9.8CVSS5.7AI score0.03292EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-60785

The Joomla extension Events Booking is vulnerable to an unauthenticated user enumeration that allows to retrieve account usernames and email addresses...

5.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60787

The Joomla extension Events Booking prior version 5.8.0 had an frontend file upload endpoint that lacked CSRF protection...

5.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-60786

The Joomla extension Events Booking prior version 5.8.0 did by default allow unauthenticated users to upload media assets...

5.3AI score
Exploits0References2
Nuclei
Nuclei
added 2 days ago13 views

WP Hotel Booking <= 2.0.7 - SQL Injection

WP Hotel Booking WordPress plugin before 2.0.8 contains a SQL injection caused by lack of authorization, CSRF checks, and input escaping in a function hooked to admininit, letting unauthenticated users perform SQL injections, exploit requires no authentication. id: CVE-2023-5652 info: name: WP...

9.8CVSS7AI score0.63711EPSS
Exploits2References2
NVD
NVD
added 2 days ago8 views

CVE-2026-11866

The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the...

5.4CVSS0.00095EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-44871

The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the...

5.4CVSS6.1AI score0.00095EPSS
Exploits0References1
CVE
CVE
added 2 days ago9 views

CVE-2026-11866

The CVE-2026-11866 entry describes a CSRF vulnerability in the WordPress plugin “Appointment Booking Plugin” (LatePoint) before version 5.6.3. The central request dispatcher does not validate a CSRF nonce on several state-changing actions, enabling an attacker to perform privileged actions agains...

5.4CVSS6.1AI score0.00095EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-11866 LatePoint < 5.6.3 - Multiple Privileged Actions via CSRF

The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the...

0.00095EPSS
Exploits0References1
CVE
CVE
added 4 days ago6 views

CVE-2026-52838

Affected software: Easy!Appointments (self-hosted appointment scheduler). Vulnerability: Stored XSS via the public booking page. An authenticated administrator can store HTML/JavaScript in the disable_booking_message setting (rich-text editor). The value is later passed directly to the public boo...

2.6CVSS6.1AI score0.00184EPSS
Exploits0References2
OSV
OSV
added 4 days ago3 views

CVE-2026-52838 Easy!Appointments disable_booking_message rendered as raw HTML on public booking page — Stored XSS

Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the disablebookingmessage setting via a rich-text editor and later passed directly to the...

2.6CVSS6.1AI score0.00184EPSS
Exploits0References4
Patchstack
Patchstack
added 5 days ago10 views

WordPress Booking Package plugin <= 1.7.20 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by PRISM in WordPress Plugin Booking Package versions = 1.7.20...

7.5CVSS6.1AI score0.00481EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder