PT-2026-1731 · WordPress · Booking Calendar
Filippo Decortes
·
Publicado
2026-01-09
·
Atualizado
2026-01-09
·
CVE-2025-14146
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Booking Calendar versions prior to 10.14.11
Description
The Booking Calendar plugin for WordPress is susceptible to sensitive information exposure via the
WPBC FLEXTIMELINE NAV AJAX action. This occurs because nonce verification is conditionally disabled by default when the booking is nonce at front end option is set to 'Off'. When the booking is show popover in timeline front end option is enabled, unauthenticated attackers can extract sensitive booking data, including customer names, email addresses, phone numbers, and booking details.Recommendations
Update Booking Calendar to version 10.14.11 or later.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Booking Calendar