VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 29 known issues Latest disclosed Feb 17, 2026

Booking Calendar Vulnerabilities

Review known vulnerability records for the WordPress plugin Booking Calendar (`booking`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-2230, CVE-2026-32358 and CVE-2026-1431, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
29
High or Critical
7
Patch Coverage
100%
Last Updated
Apr 15, 2026
Priority CVE Quick Links

Fast paths into Booking Calendar CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
25
CVE-2024-1207 Critical 9.9.1
CVE-2024-1207 Booking Calendar SQL Injection

Booking Calendar <= 9.9 - Unauthenticated SQL Injection

CVE-2018-20556 High 8.4.4
CVE-2018-20556 Booking Calendar SQL Injection

Booking Calendar <= 8.4.3 - SQL injection

CVE-2022-1463 High 9.1.1
CVE-2022-1463 Booking Calendar Vulnerability

Booking Calendar <= 9.1 - PHP Object Injection via Shortcode

CVE-2025-14383 High 10.14.9
CVE-2025-14383 Booking Calendar SQL Injection

Booking Calendar <= 10.14.8 - Unauthenticated SQL Injection via dates_to_check

CVE-2023-23991 Medium 9.4.3.1
CVE-2023-23991 Booking Calendar SQL Injection

Booking Calendar <= 9.4.2 - Authenticated (Admin+) SQL Injection

CVE-2023-4620 Medium 9.7.3.1
CVE-2023-4620 Booking Calendar Stored Cross-Site Scripting

Booking Calendar <= 9.7.3 - Unauthenticated Stored Cross-Site Scripting

CVE-2025-12804 Medium 10.14.7
CVE-2025-12804 Booking Calendar Stored Cross-Site Scripting

Booking Calendar <= 10.14.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via bookingcalendar Shortcode

CVE-2025-64381 Medium 10.14.8
CVE-2025-64381 Booking Calendar Stored Cross-Site Scripting

Booking Calendar <= 10.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Booking Calendar so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
29 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 6 high severity findings.
Recent CVEs
CVE-2026-2230, CVE-2026-32358 and CVE-2026-1431
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Booking Calendar

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-2230
CVE-2026-2230: Booking Calendar <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification

The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, wit...

Published
Feb 17, 2026
Patched Release
10.14.15
Affected Versions
Versions up to 10.14.14
Next Step
Update to 10.14.15 or newer if supported.
Open CVE-2026-2230 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-32358
CVE-2026-32358: Booking Calendar <= 10.14.15 - Authenticated (Editor+) SQL Injection

The Booking Calendar plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 10.14.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated a...

Published
Feb 14, 2026
Patched Release
10.14.16
Affected Versions
Versions up to 10.14.15
Next Step
Update to 10.14.16 or newer if supported.
Open CVE-2026-32358 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1431
CVE-2026-1431: Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure

The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retri...

Published
Jan 30, 2026
Patched Release
10.14.14
Affected Versions
Versions up to 10.14.13
Next Step
Update to 10.14.14 or newer if supported.
Open CVE-2026-1431 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14982
CVE-2025-14982: Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure

The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booki...

Published
Jan 15, 2026
Patched Release
10.14.12
Affected Versions
Versions up to 10.14.11
Next Step
Update to 10.14.12 or newer if supported.
Open CVE-2025-14982 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14146
CVE-2025-14146: Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_a...

Published
Jan 08, 2026
Patched Release
10.14.11
Affected Versions
Versions up to 10.14.10
Next Step
Update to 10.14.11 or newer if supported.
Open CVE-2025-14146 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-14383
CVE-2025-14383: Booking Calendar <= 10.14.8 - Unauthenticated SQL Injection via dates_to_check

The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin...

Published
Dec 15, 2025
Patched Release
10.14.9
Affected Versions
Versions up to 10.14.8
Next Step
Update to 10.14.9 or newer if supported.
Open CVE-2025-14383 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-12804
CVE-2025-12804: Booking Calendar <= 10.14.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via bookingcalendar Shortcode

The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it po...

Published
Dec 04, 2025
Patched Release
10.14.7
Affected Versions
Versions up to 10.14.6
Next Step
Update to 10.14.7 or newer if supported.
Open CVE-2025-12804 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-64381
CVE-2025-64381: Booking Calendar <= 10.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 10.14.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above...

Published
Nov 13, 2025
Patched Release
10.14.8
Affected Versions
Versions up to 10.14.7
Next Step
Update to 10.14.8 or newer if supported.
Open CVE-2025-64381 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-9346
CVE-2025-9346: Booking Calendar <= 10.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 10.14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-lev...

Published
Aug 27, 2025
Patched Release
10.14.2
Affected Versions
Versions up to 10.14.1
Next Step
Update to 10.14.2 or newer if supported.
Open CVE-2025-9346 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-4669
CVE-2025-4669: Booking Calendar <= 10.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpbc Shortcode

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpbc shortcode in all versions up to, and including, 10.11.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

Published
May 16, 2025
Patched Release
10.11.2
Affected Versions
Versions up to 10.11.1
Next Step
Update to 10.11.2 or newer if supported.
Open CVE-2025-4669 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13821
CVE-2024-13821: WP Booking Calendar <= 10.10 - Unauthenticated Post-Confirmation Booking Manipulation

The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being a...

Published
Feb 11, 2025
Patched Release
10.10.1
Affected Versions
Versions up to 10.10
Next Step
Update to 10.10.1 or newer if supported.
Open CVE-2024-13821 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13323
CVE-2024-13323: Booking Calendar <= 10.9.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'booking' Shortcode

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'booking' shortcode in all versions up to, and including, 10.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

Published
Jan 13, 2025
Patched Release
10.9.3
Affected Versions
Versions up to 10.9.2
Next Step
Update to 10.9.3 or newer if supported.
Open CVE-2024-13323 Report Open CVE Reference