{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2230", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-08T18:51:36.435Z", "datePublished": "2026-02-18T16:28:14.595Z", "dateUpdated": "2026-04-08T16:56:42.711Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:42.711Z"}, "affected": [{"vendor": "wpdevelop", "product": "Booking Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "10.14.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user."}], "title": "Booking Calendar <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60f7df44-22f9-4a9e-a20c-4b8628674079?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/save-user-meta/save-user-meta.php#L90"}, {"url": "https://plugins.trac.wordpress.org/changeset/3456856/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tarc\u00edsio Luchesi De Almeida Silva"}], "timeline": [{"time": "2026-02-08T19:06:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T19:21:30.580962Z", "id": "CVE-2026-2230", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T19:25:03.914Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2230", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T19:21:30.580962Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T19:22:35.797Z"}}], "cna": {"title": "Booking Calendar <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification", "credits": [{"lang": "en", "type": "finder", "value": "Tarc\u00edsio Luchesi De Almeida Silva"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpdevelop", "product": "Booking Calendar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "10.14.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-08T19:06:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60f7df44-22f9-4a9e-a20c-4b8628674079?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/save-user-meta/save-user-meta.php#L90"}, {"url": "https://plugins.trac.wordpress.org/changeset/3456856/"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:42.711Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2230", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:56:42.711Z", "dateReserved": "2026-02-08T18:51:36.435Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T16:28:14.595Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user."}, {"lang": "es", "value": "El plugin Booking Calendar para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 10.14.14, inclusive, a trav\u00e9s de la funci\u00f3n handle_ajax_save debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, y permisos de reserva otorgados por un Administrador, modifiquen la configuraci\u00f3n del plugin de otros usuarios, como las opciones de visualizaci\u00f3n del calendario de reservas, lo que puede interrumpir la funcionalidad del calendario de reservas para el usuario objetivo."}], "id": "CVE-2026-2230", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T17:21:36.327", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/save-user-meta/save-user-meta.php#L90"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3456856/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60f7df44-22f9-4a9e-a20c-4b8628674079?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 75.0, "confidence_source": "inferred", "scores": [{"score": 75.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.14.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Booking Calendar", "source": "cna", "vendor": "wpdevelop"}, "product": "booking_calendar", "vendor": "wpdevelop"}], "analysis": {"en": {"generated_at": "2026-04-15T20:19:45.715484+00:00", "value": {"mitigation_remediation": ["Update the Booking Calendar plugin to the latest release that includes a fix for the handle_ajax_save validation flaw.", "If an immediate update is not possible, revoke booking permissions from all Subscriber roles and grant them only to Administrators or other trusted roles.", "Disable or remove the handle_ajax_save AJAX endpoint from the plugin until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Arbitrary modification of other users\u2019 Booking Calendar settings by authenticated subscribers"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Booking Calendar plugin (wpdevelop:Booking Calendar) version 10.14.14 or earlier. The vulnerability applies to all plugin installations with the default AJAX endpoint enabled and to any user who has been granted booking permissions by an Administrator.", "description_and_impact": "The Booking Calendar plugin for WordPress contains an Insecure Direct Object Reference in the handle_ajax_save function. Because the code fails to validate a user\u2011controlled key, an attacker who has a Subscriber role (or higher) and booking permissions granted by an Administrator can change the plugin settings of any other user. This allows the attacker to disrupt the target user\u2019s booking calendar functionality, potentially causing scheduling errors or loss of data. The weakness is a classic example of privilege escalation, classified as CWE\u2011639.", "risk_and_exploitability": "According to the CVSS score of 4.3 the vulnerability is considered moderate, and the EPSS score of less than 1% indicates a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers require valid authenticated access; the attack can be performed from within the WordPress site by sending a crafted AJAX request to the vulnerable endpoint, bypassing the missing key validation. The moderate score reflects the limited scope, affecting only the targeted user\u2019s plugin configuration, and the low exploitation probability reduces immediate urgency but still warrants prompt remediation."}}}}, "created": "2026-02-19T10:11:40.045745+00:00", "updated": "2026-04-15T20:30:13.771754+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevelop", "wpdevelop$PRODUCT$booking_calendar"]}