{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1431", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-26T10:49:01.641Z", "datePublished": "2026-01-31T04:35:14.563Z", "dateUpdated": "2026-04-08T16:34:56.175Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:56.175Z"}, "affected": [{"vendor": "wpdevelop", "product": "Booking Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "10.14.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails."}], "title": "Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2026-01-23T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-26T11:15:30.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-30T16:06:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T17:58:11.996755Z", "id": "CVE-2026-1431", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T17:58:21.979Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1431", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T17:58:11.996755Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T17:58:18.891Z"}}], "cna": {"title": "Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wpdevelop", "product": "Booking Calendar", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "10.14.13"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-26T11:15:30.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-30T16:06:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-31T04:35:14.563Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1431", "state": "PUBLISHED", "dateUpdated": "2026-02-02T17:58:21.979Z", "dateReserved": "2026-01-26T10:49:01.641Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-31T04:35:14.563Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails."}, {"lang": "es", "value": "El plugin Booking Calendar para WordPress es vulnerable a acceso no autorizado de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n wpbc_ajax_WPBC_FLEXTIMELINE_NAV() en todas las versiones hasta e incluyendo la 10.14.13. Esto hace posible que atacantes no autenticados recuperen informaci\u00f3n de reserva, incluyendo nombres de clientes, tel\u00e9fonos y correos electr\u00f3nicos."}], "id": "CVE-2026-1431", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-31T05:16:32.423", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:22:38.251778+00:00", "value": {"mitigation_remediation": ["Upgrade the Booking Calendar plugin to the latest available version to add the missing capability check.", "If an update is unavailable, disable or delete the plugin to eliminate the exposure.", "Configure web\u2011application firewalls or server rules to block unauthenticated access to the wpbc\u2011ajax.php endpoint, or further restrict it to authenticated users only."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "WordPress sites running the wpdevelop:Booking Calendar plugin, versions up to and including 10.14.13, are affected.", "description_and_impact": "The Booking Calendar plugin for WordPress permits unauthenticated users to invoke an AJAX function that reveals detailed booking information, including customer names, phone numbers, and email addresses, because the function lacks a capability check. This missing authorization check leads to a confidentiality breach and corresponds to CWE\u2011862.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.3 and an EPSS score of less than 1\u202f%, indicating moderate severity but a low likelihood of exploitation. It is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. The attack vector is an unauthenticated AJAX request; attackers only need access to the site\u2019s public URL to retrieve sensitive booking data."}}}}, "created": "2026-02-02T09:26:43.984029+00:00", "updated": "2026-04-16T01:30:20.310649+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevelop", "wpdevelop$PRODUCT$booking_calendar"]}