Show filters
476 Total Results
Displaying 21-30 of 476
Sort by:
Attacker Value
Unknown

CVE-2024-12811

Disclosure Date: February 28, 2025 (last updated February 28, 2025)
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Attacker Value
Unknown

CVE-2024-12737

Disclosure Date: February 26, 2025 (last updated February 27, 2025)
The WP BASE Booking of Appointments, Services and Events WordPress plugin before 5.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
0
Attacker Value
Unknown

CVE-2024-13235

Disclosure Date: February 21, 2025 (last updated February 26, 2025)
The Pinpoint Booking System – #1 WordPress Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'language' parameter in all versions up to, and including, 2.9.9.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Attacker Value
Unknown

CVE-2024-13508

Disclosure Date: February 19, 2025 (last updated February 27, 2025)
The Booking Package plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the locale parameter in all versions up to, and including, 1.6.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Attacker Value
Unknown

CVE-2025-23653

Disclosure Date: February 14, 2025 (last updated February 27, 2025)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Form To Online Booking allows Reflected XSS. This issue affects Form To Online Booking: from n/a through 1.0.
0
Attacker Value
Unknown

CVE-2024-13821

Disclosure Date: February 12, 2025 (last updated February 26, 2025)
The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved.
0
Attacker Value
Unknown

CVE-2025-24661

Disclosure Date: February 03, 2025 (last updated February 27, 2025)
Deserialization of Untrusted Data vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Object Injection. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 1.1.8.
0
Attacker Value
Unknown

CVE-2025-22684

Disclosure Date: February 03, 2025 (last updated February 27, 2025)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hakan Ozevin WP BASE Booking allows Stored XSS. This issue affects WP BASE Booking: from n/a through 5.0.0.
0
Attacker Value
Unknown

CVE-2025-24560

Disclosure Date: January 31, 2025 (last updated February 27, 2025)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Awesome TOGI Awesome Event Booking allows Reflected XSS. This issue affects Awesome Event Booking: from n/a through 2.7.1.
0
Attacker Value
Unknown

CVE-2025-22720

Disclosure Date: January 31, 2025 (last updated February 27, 2025)
Missing Authorization vulnerability in MagePeople Team Booking and Rental Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking and Rental Manager: from n/a through 2.2.1.
0