The booking-sms plugin before 1.1.0 for WordPress has XSS.

The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter.

SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.

An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Multiple parameters allow remote attackers to manipulate the values to change data such as prices.

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label] parameter.

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent] parameter.

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.

The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5.

Cross-site scripting vulnerability in Booking Calendar version 7.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.