CVE-2026-1431
Unauthorized Data Access in Booking Calendar WordPress Plugin
Publication date: 2026-01-31
Last updated on: 2026-01-31
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| booking_calendar | booking_calendar | to 10.14.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Booking Calendar plugin for WordPress, where a missing capability check in the function wpbc_ajax_WPBC_FLEXTIMELINE_NAV() allows unauthenticated attackers to access booking information. Because the function does not properly verify user permissions, attackers can retrieve sensitive data such as customer names, phone numbers, and email addresses without authorization. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of personal booking information including customer names, phone numbers, and emails. This exposure can result in privacy breaches, potential phishing attacks, identity theft, and loss of customer trust. Since attackers do not need to be authenticated, the risk of data leakage is significant. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized access attempts to the AJAX endpoint related to the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in the Booking Calendar plugin. Since the vulnerability allows unauthenticated attackers to retrieve booking information, you can look for HTTP requests to the AJAX handler URL that do not include valid authentication or nonce tokens. For example, you can use network monitoring tools or web server logs to search for suspicious POST or GET requests to URLs containing 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV'. A sample command to search web server logs (e.g., Apache) for such requests is: `grep 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV' /var/log/apache2/access.log`. Additionally, inspecting WordPress AJAX request logs or enabling debug logging for the plugin may help detect exploitation attempts. Note that the plugin's AJAX functions normally require nonce verification, but this particular function lacks that check, making detection by monitoring unauthorized access feasible. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Booking Calendar plugin to a version later than 10.14.13 where the missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function is fixed. If an update is not immediately available, you should restrict access to the vulnerable AJAX endpoint by implementing firewall rules or web server access controls to block unauthenticated requests to that function. Additionally, disabling or limiting the Booking Calendar plugin functionality temporarily until a patch is applied can reduce risk. Monitoring for suspicious activity targeting this endpoint and enforcing strong authentication and nonce verification on AJAX requests where possible are also recommended. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access booking information including customer names, phones, and emails, which constitutes unauthorized access to personal data. This exposure can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. Therefore, this vulnerability negatively impacts compliance with these common standards and regulations by risking personal data confidentiality. [1]