7373 matches found
CVE-2026-15289
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevartid’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...
EUVD-2026-42798
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevartid’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...
CVE-2026-15289
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevartid’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...
CVE-2026-15289
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to a time-based SQL injection via the wpdevart_id parameter in all versions up to 3.2.17. The root cause is insufficient escaping of the user-supplied parameter and lack of proper SQL query preparation. This can a...
CVE-2026-15289 Booking calendar, Appointment Booking System <= 3.2.17 - Unauthenticated Time-Based SQL Injection via 'wpdevart_id'
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevartid’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...
CVE-2026-15070
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inje...
CVE-2026-11392
The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...
EUVD-2026-42786
The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...
CVE-2026-11392 WP Hotel Booking <= 2.3.1 - Reflected Cross-Site Scripting via 'check_in_date' and 'check_out_date' Parameters
The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...
CVE-2026-11392
The CVE-2026-11392 affects the WordPress WP Hotel Booking plugin up to version 2.3.1. It is a Reflected Cross-Site Scripting vulnerability caused by insufficient input sanitization and output escaping in the check_in_date and check_out_date parameters. This allows unauthenticated attackers to inj...
CVE-2026-15070
The CVE covers the WordPress plugin “Salon Booking System – Free Version.” All versions up to and including 10.30.32 are vulnerable to Cross-Site Request Forgery due to missing/incorrect nonce validation in setCustomText, allowing unauthenticated attackers to inject PHP into translate-constants.p...
WordPress Salon Booking System – Free Version plugin <= 10.30.32 - Cross-Site Request Forgery to Remote Code Execution vulnerability
Cross-Site Request Forgery to Remote Code Execution vulnerability discovered by Afifudin Maarif in WordPress Plugin Salon booking system versions = 10.30.32...
CVE-2026-12433
The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...
EUVD-2026-42550
The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...
CVE-2026-12433 Hydra Booking <= 1.2.1 - Authenticated (Custom+) Insecure Direct Object Reference to Sensitive Information Exposure via 'booking_id' Parameter
The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...
CVE-2026-12433
The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...
CVE-2026-12433
The CVE describes a vulnerability in the Hydra Booking WordPress plugin (versions up to 1.2.1) where an Insecure Direct Object Reference in the /wp-json/hydra-booking/v1/booking/details/{id} endpoint allows authenticated hosts with the tfhb_manage_options capability to view booking records from o...
CVE-2026-6820
CVE-2026-6820: The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the email parameter in all versions up to 1.8.8 due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts in ...
WordPress Booking and Rental Manager plugin <= 2.6.9 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by hhhai in WordPress Plugin Booking and Rental Manager versions = 2.6.9...
WordPress Hydra Booking plugin <= 1.1.44 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by HaiND in WordPress Plugin Hydra Booking versions = 1.1.44...