The Booking Package plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the locale parameter in all versions up to, and including, 1.6.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Improper Privilege Management vulnerability in SAASPROJECT Booking Package Booking Package allows Privilege Escalation.This issue affects Booking Package: from n/a through 1.5.98.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SAASPROJECT Booking Package Booking Package plugin <= 1.6.01 versions.

The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability.

Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors.