CVE-2026-2230
📋 TL;DR
The Booking Calendar plugin for WordPress has an Insecure Direct Object Reference vulnerability that allows authenticated attackers with Subscriber-level access and booking permissions to modify other users' plugin settings. This can disrupt booking calendar functionality for targeted users by altering display options and configuration settings.
💻 Affected Systems
- Booking Calendar WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically modify all user settings, causing widespread booking system disruption, data inconsistency, and potential business impact for organizations relying on the calendar.
Likely Case
Targeted modification of specific users' settings causing localized booking functionality disruption and user confusion.
If Mitigated
Minimal impact with proper access controls and monitoring in place to detect unauthorized setting changes.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions but is technically simple once access is obtained
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 10.14.15 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3456856/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Booking Calendar plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Temporary User Permission Restriction
allTemporarily remove booking permissions from Subscriber-level users until patch is applied
Plugin Deactivation
allTemporarily deactivate Booking Calendar plugin if not critical for operations
🧯 If You Can't Patch
- Implement strict access controls to limit booking permissions to trusted users only
- Enable detailed logging of user setting changes and monitor for unauthorized modifications
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Booking Calendar → Version number. If version is 10.14.14 or lower, system is vulnerable.Check Version:
wp plugin list --name=booking --field=version (if WP-CLI is installed)Verify Fix Applied:
Verify Booking Calendar plugin version is 10.14.15 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual user setting modifications in WordPress logs
- Multiple setting changes from single user account in short timeframe
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with save-user-meta actions
SIEM Query:
source="wordpress.log" action="save_user_meta" user_role="subscriber"