Lucene search
K

7334 matches found

ATTACKERKB
ATTACKERKB
added 4 days ago7 views

CVE-2026-12433

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS5.9AI score0.00435EPSS
Exploits0References11
CVE
CVE
added 5 days ago11 views

CVE-2026-6820

CVE-2026-6820: The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the email parameter in all versions up to 1.8.8 due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts in ...

7.2CVSS6.1AI score0.00229EPSS
Exploits0References3
Patchstack
Patchstack
added 5 days ago6 views

WordPress Booking and Rental Manager plugin <= 2.6.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by hhhai in WordPress Plugin Booking and Rental Manager versions = 2.6.9...

6.5CVSS6.1AI score
Exploits0Affected Software1
Patchstack
Patchstack
added 5 days ago4 views

WordPress Hydra Booking plugin <= 1.1.44 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by HaiND in WordPress Plugin Hydra Booking versions = 1.1.44...

7.1CVSS6.1AI score
Exploits0Affected Software1
NVD
NVD
added 5 days ago9 views

CVE-2026-12378

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this c...

8.1CVSS0.00389EPSS
Exploits0References1
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42178

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this c...

8.1CVSS6.2AI score0.00389EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/03 7:53 a.m.40 views

CVE-2026-11398 LatePoint <= 5.6.1 - Missing Authorization to Unauthenticated Arbitrary Customer Data Modification via process_step_customer() Booking Form Customer Step

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

5.3CVSS0.00338EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/07/03 7:53 a.m.8 views

CVE-2026-11398

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

5.3CVSS6AI score0.00338EPSS
Exploits0References11
CVE
CVE
added 2026/07/03 7:53 a.m.17 views

CVE-2026-11398

The CVE concerns LatePoint for WordPress, affecting all versions up to 5.6.1. It allows unauthenticated users to bypass authorization and modify PII (first name, last name, phone, notes) of any customer record by submitting a booking form with a known email when guest bookings are enabled (is_cus...

5.3CVSS6AI score0.00338EPSS
Exploits0References10
EUVD
EUVD
added 2026/07/03 7:53 a.m.9 views

EUVD-2026-41524

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

5.3CVSS6AI score0.00338EPSS
Exploits0References10
NVD
NVD
added 2026/07/03 6:16 a.m.9 views

CVE-2026-9180

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the POST /motopress/appointment/v1/bookings REST endpoint being registered with 'permissioncallback' = 'returntrue',...

5.3CVSS0.00342EPSS
Exploits0References6
CVE
CVE
added 2026/07/03 4:30 a.m.22 views

CVE-2026-9180

MotoPress Appointment Booking for WordPress (versions up to 2.4.4) is vulnerable to an Authorization Bypass via a user-controlled booking_id. The REST endpoint POST /motopress/appointment/v1/bookings is registered with a permissive permission_callback (return_true ), and createBooking() loads the...

5.3CVSS5.7AI score0.00342EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/03 4:30 a.m.38 views

CVE-2026-9180 MotoPress Appointment Booking <= 2.4.4 - Unauthenticated Insecure Direct Object Reference to 'payment_details.booking_id' Parameter

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the POST /motopress/appointment/v1/bookings REST endpoint being registered with 'permissioncallback' = 'returntrue',...

5.3CVSS0.00342EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/07/03 4:30 a.m.11 views

CVE-2026-9180

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the POST /motopress/appointment/v1/bookings REST endpoint being registered with 'permissioncallback' = 'returntrue',...

5.3CVSS5.7AI score0.00342EPSS
Exploits0References7
EUVD
EUVD
added 2026/07/03 4:30 a.m.7 views

EUVD-2026-41492

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the POST /motopress/appointment/v1/bookings REST endpoint being registered with 'permissioncallback' = 'returntrue',...

5.3CVSS5.7AI score0.00342EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.14 views

PT-2026-55499

Name of the Vulnerable Software and Affected Versions MotoPress Appointment Booking versions prior to 2.4.5 Description The plugin contains an authorization bypass issue allowing unauthenticated users to modify booking details. The POST /motopress/appointment/v1/bookings endpoint is accessible to...

5.3CVSS5.9AI score0.00342EPSS
Exploits0References10
NVD
NVD
added 2026/07/02 12:17 p.m.5 views

CVE-2026-57347

Subscriber Sensitive Data Exposure in Hotel Booking Lite = 6.0.3 versions...

6.5CVSS0.00371EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/07/02 12:8 p.m.5 views

WordPress Booking calendar, Appointment Booking System plugin <= 3.2.36 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Booking calendar, Appointment Booking System versions = 3.2.36...

5.3CVSS5.9AI score
Exploits0Affected Software1
CVE
CVE
added 2026/07/02 11:15 a.m.15 views

CVE-2026-57347

CVE-2026-57347 affects the WordPress plugin Hotel Booking Lite

6.5CVSS5.8AI score0.00371EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/02 11:15 a.m.37 views

CVE-2026-57347 WordPress Hotel Booking Lite plugin <= 6.0.3 - Sensitive Data Exposure vulnerability

Subscriber Sensitive Data Exposure in Hotel Booking Lite = 6.0.3 versions...

6.5CVSS0.00371EPSS
Exploits0References1
Rows per page
Query Builder