CVE-2026-1431
📋 TL;DR
The Booking Calendar plugin for WordPress has an authorization vulnerability that allows unauthenticated attackers to access booking data. This affects all WordPress sites using vulnerable versions of the plugin, exposing customer personal information including names, phone numbers, and email addresses.
💻 Affected Systems
- Booking Calendar WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass data exfiltration of all booking records containing PII, leading to privacy violations, regulatory penalties, and potential follow-on attacks using stolen contact information.
Likely Case
Unauthorized access to booking data containing customer PII, potentially enabling spam, phishing, or social engineering attacks against affected customers.
If Mitigated
Limited or no data exposure if proper network segmentation, web application firewalls, and access controls are implemented.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests to the vulnerable AJAX endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.14.14 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/booking/tags/10.14.14
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Booking Calendar plugin
4. Click 'Update Now' if available
5. Alternatively, download version 10.14.14+ from WordPress repository and manually update
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the vulnerable wpbc_ajax_WPBC_FLEXTIMELINE_NAV function via .htaccess or web server configuration
# Add to .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=wpbc_ajax_WPBC_FLEXTIMELINE_NAV
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
</IfModule>
🧯 If You Can't Patch
- Temporarily disable the Booking Calendar plugin until patched
- Implement web application firewall rules to block requests to the vulnerable AJAX endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Booking Calendar → Version number. If version is 10.14.13 or lower, you are vulnerable.Check Version:
wp plugin list --name=booking --field=versionVerify Fix Applied:
After updating, verify version is 10.14.14 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=wpbc_ajax_WPBC_FLEXTIMELINE_NAV parameter from unauthenticated users
Network Indicators:
- Unusual spikes in requests to WordPress AJAX endpoints from external IPs
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=wpbc_ajax_WPBC_FLEXTIMELINE_NAV*" AND NOT user_agent="*WordPress*"