CVE-2026-1431

The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25
https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El plugin Booking Calendar para WordPress es vulnerable a acceso no autorizado de datos debido a una comprobación de capacidad faltante en la función wpbc_ajax_WPBC_FLEXTIMELINE_NAV() en todas las versiones hasta e incluyendo la 10.14.13. Esto hace posible que atacantes no autenticados recuperen información de reserva, incluyendo nombres de clientes, teléfonos y correos electrónicos.

31 Jan 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-31 05:16

Updated : 2026-06-17 10:15

NVD link : CVE-2026-1431

Mitre link : CVE-2026-1431

CVE.ORG link : CVE-2026-1431

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-1431", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-1431", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T17:58:11.996755Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "wpdevelop", "product": "Booking Calendar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "10.14.13"}], "defaultStatus": "unaffected"}]}], "published": "2026-01-31T05:16:32.423", "references": [{"url": "https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails."}, {"lang": "es", "value": "El plugin Booking Calendar para WordPress es vulnerable a acceso no autorizado de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n wpbc_ajax_WPBC_FLEXTIMELINE_NAV() en todas las versiones hasta e incluyendo la 10.14.13. Esto hace posible que atacantes no autenticados recuperen informaci\u00f3n de reserva, incluyendo nombres de clientes, tel\u00e9fonos y correos electr\u00f3nicos."}], "lastModified": "2026-06-17T10:15:46.657", "sourceIdentifier": "security@wordfence.com"}