Directory traversal vulnerability in Booking Calendar version 7.0 and earlier allows remote attackers to read arbitrary files via specially crafted captcha_chalange parameter.

Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to updating the username.

SQL injection vulnerability in load-calendar.php in PHPJabbers Event Booking Calendar 2.0 allows remote attackers to execute arbitrary SQL commands via the cid parameter.

Multiple cross-site request forgery (CSRF) vulnerabilities in PHPJabbers Event Booking Calendar 2.0 allow remote attackers to hijack the authentication of administrators for requests that (1) change the username and password of the administrator via an update action to the AdminOptions controller or conduct cross-site scripting (XSS) attacks via the (2) event_title parameter in a create action to the AdminEvents controller or (3) category_title parameter in a create action to the AdminCategories controller.

Cross-site scripting (XSS) vulnerability in details_view.php in PHP Booking Calendar 10e allows remote attackers to inject arbitrary web script or HTML via the page_info_message parameter.