CVE-2025-14146

Name of the Vulnerable Software and Affected Versions Booking Calendar versions prior to 10.14.11

Description The Booking Calendar plugin for WordPress is susceptible to sensitive information exposure via the WPBC FLEXTIMELINE NAV AJAX action. This occurs because nonce verification is conditionally disabled by default when the booking is nonce at front end option is set to 'Off'. When the booking is show popover in timeline front end option is enabled, unauthenticated attackers can extract sensitive booking data, including customer names, email addresses, phone numbers, and booking details.

Recommendations Update Booking Calendar to version 10.14.11 or later.