Lucene search
+L

7373 matches found

NVD
NVD
added 2026/07/10 5:16 a.m.12 views

CVE-2026-15289

The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevartid’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...

5.9CVSS0.00346EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/10 4:31 a.m.7 views

EUVD-2026-42798

The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevartid’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...

5.9CVSS6AI score0.00346EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/10 4:31 a.m.6 views

CVE-2026-15289

The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevartid’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...

5.9CVSS6AI score0.00346EPSS
Exploits0References5
CVE
CVE
added 2026/07/10 4:31 a.m.7 views

CVE-2026-15289

The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to a time-based SQL injection via the wpdevart_id parameter in all versions up to 3.2.17. The root cause is insufficient escaping of the user-supplied parameter and lack of proper SQL query preparation. This can a...

5.9CVSS6AI score0.00346EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/10 4:31 a.m.31 views

CVE-2026-15289 Booking calendar, Appointment Booking System <= 3.2.17 - Unauthenticated Time-Based SQL Injection via 'wpdevart_id'

The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevartid’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...

5.9CVSS0.00346EPSS
Exploits0References4
NVD
NVD
added 2026/07/10 4:17 a.m.5 views

CVE-2026-15070

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inje...

8.8CVSS0.00259EPSS
Exploits0References6
NVD
NVD
added 2026/07/10 4:17 a.m.6 views

CVE-2026-11392

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...

6.1CVSS0.00254EPSS
Exploits0References9
EUVD
EUVD
added 2026/07/10 3:31 a.m.8 views

EUVD-2026-42786

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...

6.1CVSS6.1AI score0.00254EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/07/10 3:31 a.m.38 views

CVE-2026-11392 WP Hotel Booking <= 2.3.1 - Reflected Cross-Site Scripting via 'check_in_date' and 'check_out_date' Parameters

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...

6.1CVSS0.00254EPSS
Exploits0References9
CVE
CVE
added 2026/07/10 3:31 a.m.9 views

CVE-2026-11392

The CVE-2026-11392 affects the WordPress WP Hotel Booking plugin up to version 2.3.1. It is a Reflected Cross-Site Scripting vulnerability caused by insufficient input sanitization and output escaping in the check_in_date and check_out_date parameters. This allows unauthenticated attackers to inj...

6.1CVSS6.1AI score0.00254EPSS
Exploits0References9
CVE
CVE
added 2026/07/10 3:31 a.m.12 views

CVE-2026-15070

The CVE covers the WordPress plugin “Salon Booking System – Free Version.” All versions up to and including 10.30.32 are vulnerable to Cross-Site Request Forgery due to missing/incorrect nonce validation in setCustomText, allowing unauthenticated attackers to inject PHP into translate-constants.p...

8.8CVSS6.7AI score0.00259EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/07/09 3:29 p.m.6 views

WordPress Salon Booking System – Free Version plugin <= 10.30.32 - Cross-Site Request Forgery to Remote Code Execution vulnerability

Cross-Site Request Forgery to Remote Code Execution vulnerability discovered by Afifudin Maarif in WordPress Plugin Salon booking system versions = 10.30.32...

8.8CVSS6.1AI score0.00259EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/07/09 10:16 a.m.9 views

CVE-2026-12433

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS0.00435EPSS
Exploits0References10
EUVD
EUVD
added 2026/07/09 8:31 a.m.8 views

EUVD-2026-42550

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS5.9AI score0.00435EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/07/09 8:31 a.m.34 views

CVE-2026-12433 Hydra Booking <= 1.2.1 - Authenticated (Custom+) Insecure Direct Object Reference to Sensitive Information Exposure via 'booking_id' Parameter

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS0.00435EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/07/09 8:31 a.m.7 views

CVE-2026-12433

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS5.9AI score0.00435EPSS
Exploits0References11
CVE
CVE
added 2026/07/09 8:31 a.m.14 views

CVE-2026-12433

The CVE describes a vulnerability in the Hydra Booking WordPress plugin (versions up to 1.2.1) where an Insecure Direct Object Reference in the /wp-json/hydra-booking/v1/booking/details/{id} endpoint allows authenticated hosts with the tfhb_manage_options capability to view booking records from o...

4.3CVSS5.9AI score0.00435EPSS
Exploits0References10
CVE
CVE
added 2026/07/08 12:33 p.m.13 views

CVE-2026-6820

CVE-2026-6820: The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the email parameter in all versions up to 1.8.8 due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts in ...

7.2CVSS6.1AI score0.00229EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/07/08 12:28 p.m.6 views

WordPress Booking and Rental Manager plugin <= 2.6.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by hhhai in WordPress Plugin Booking and Rental Manager versions = 2.6.9...

6.5CVSS6.1AI score0.00242EPSS
Exploits0Affected Software1
Patchstack
Patchstack
added 2026/07/08 8:52 a.m.5 views

WordPress Hydra Booking plugin <= 1.1.44 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by HaiND in WordPress Plugin Hydra Booking versions = 1.1.44...

7.1CVSS6.1AI score0.0018EPSS
Exploits0Affected Software1
Rows per page
Query Builder