CVE-2026-2230

Name of the Vulnerable Software and Affected Versions Booking Calendar versions prior to 10.14.15

Description The Booking Calendar plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This flaw stems from inadequate validation of a user-controlled key within the handle ajax save function. Authenticated attackers possessing Subscriber-level access or higher, and with booking permissions granted by an Administrator, can potentially modify other users' plugin settings, such as booking calendar display options. Successful exploitation can disrupt the booking calendar functionality for targeted users.

Recommendations Update Booking Calendar to version 10.14.15 or later.