Booking Calendar
Approved changes feed: RSS · Atom
cpe:2.3:a:wpdevart:booking_calendar:*:*:*:*:*:wordpress:*:*
part: a version: * update: *
| Vendor | Wpdevart (62458400-5314-5c71-819c-4b29c90460da) |
|---|---|
| Product | Booking Calendar (c11713d0-7ad6-56c1-9a9a-00240b768efe) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | wordpress |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2024-9504 |
vulnerable | 2026-06-03 14:58:22.021024 |
Booking calendar, Appointment Booking System <= 3.2.15 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
HIGH (7.2)
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Published: 2024-11-26T07:31:31.040Z
Updated: 2026-04-08T16:41:04.352Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10856 |
vulnerable | 2026-06-03 14:54:12.753587 |
Booking Calendar WpDevArt <= 3.2.19 - Authenticated (Contributor+) SQL Injection
MEDIUM (6.5)
The Booking Calendar WpDevArt plugin is vulnerable to time-based, blind SQL injection via the `id` parameter in the “wpdevart_booking_calendar” shortcode in versions up to, and including, 3.2.19 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. The vulnerability requires the “delete_prev_date” theme option being enabled. This makes it possible for authenticated attackers, with contributor-level access or above, to append additional SQL queries into already existing query that can be used to extract sensitive information such as passwords from the database.
Published: 2024-12-24T11:09:50.601Z
Updated: 2026-04-08T17:19:23.813Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-24407 |
vulnerable | 2026-06-03 14:49:29.654776 |
WordPress Booking calendar, Appointment Booking System plugin <= 3.2.3 - Broken Access Control vulnerability
MEDIUM (5)
Missing Authorization vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3.
Published: 2024-12-09T11:31:40.296Z
Updated: 2026-04-28T16:08:06.184Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-24388 |
vulnerable | 2026-06-03 14:49:29.597432 |
WordPress Booking calendar, Appointment Booking System Plugin <= 3.2.3 is vulnerable to Cross Site Request Forgery (CSRF)
MEDIUM (5.4)
Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions affects plugin forms actions (create, duplicate, edit, delete).
Published: 2023-02-17T14:25:11.347Z
Updated: 2026-04-28T16:08:05.611Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-24373 |
vulnerable | 2026-06-03 14:49:29.562957 |
WordPress Booking calendar, Appointment Booking System plugin <= 3.2.3 - Bypass vulnerability
LOW (3.7)
External Control of Assumed-Immutable Web Parameter vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Manipulating Hidden Fields.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3.
Published: 2024-06-03T21:35:58.308Z
Updated: 2026-04-28T16:08:05.253Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-47438 |
vulnerable | 2026-06-03 14:48:27.444109 |
WordPress Booking calendar, Appointment Booking System Plugin <= 3.2.3 is vulnerable to Cross Site Scripting (XSS)
MEDIUM (5.9)
Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions.
Published: 2023-03-29T12:29:03.749Z
Updated: 2026-04-28T16:07:57.565Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-47428 |
vulnerable | 2026-06-03 14:48:27.415030 |
WordPress Booking calendar, Appointment Booking System Plugin <= 3.2.7 is vulnerable to SQL Injection
MEDIUM (6.7)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpDevArt Booking calendar, Appointment Booking System allows SQL Injection.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.7.
Published: 2023-11-06T07:36:32.349Z
Updated: 2026-04-28T16:07:57.572Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-3982 |
vulnerable | 2026-06-03 14:47:59.664309 |
Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
Published: 2022-12-12T17:54:47.850Z
Updated: 2025-04-22T14:52:56.748Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.