Är Booking Calendar säkert att använda?

Booking Calendar har 56 kända sårbarheter. De flesta åtgärdas i nya versioner. Håll alltid tillägget uppdaterat för bästa skydd.

Hur vet jag om min sajt är påverkad?

Kör ett gratis test på sitesupport.co/testa-din-hemsida. Testet kontrollerar vilka tillägg och versioner du använder och jämför mot kända sårbarheter.

Vad ska jag göra om jag har en sårbar version?

Uppdatera till senaste versionen så snart som möjligt. Om ingen fix finns tillgänglig, överväg att tillfälligt inaktivera tillägget.

Booking Calendar

Name: Booking Calendar
Rating: 4.7

4.7/5

50 000+ installationer

Original "Booking Calendar" plugin. Easily manage full-day bookings, time-slot appointments, or events in our all-in-one, outstanding booking system.

Kända sårbarheter

Kritiska / höga

2026-02-17

Senaste sårbarhet

50 000+

Aktiva installationer

Om Booking Calendar

Säkerhetsöversikt för Booking Calendar

Booking Calendar är ett populärt WordPress-tillägg som används av cirka 50 000 webbplatser för att hantera bokningar, tidsluckor och evenemang. Trots dess funktionalitet finns det viktiga säkerhetsaspekter att vara medveten om.

Identifierade säkerhetsrisker

Tillägget har totalt 47 dokumenterade sårbarheter, varav majoriteten (33 stycken) klassas som medium-risk. Mer allvarligt är de 9 sårbarheter med hög risk och 2 kritiska sårbarheter som kan utgöra betydande säkerhetsrisker för din webbplats.

Nuvarande säkerhetsstatus

Den senaste kända sårbarheten upptäcktes i april 2022, vilket tyder på att utvecklarna arbetar aktivt med säkerhetsuppdateringar. Detta är positivt för tilläggets långsiktiga säkerhet.

Våra rekommendationer

Kontrollera att du kör den absolut senaste versionen av tillägget
Konfigurera automatiska uppdateringar om möjligt
Överväg att begränsa åtkomsträttigheter för användare som hanterar bokningsfunktionerna
Implementera regelbundna säkerhetskopieringar

Regelbundna uppdateringar är det mest effektiva skyddet mot kända sårbarheter. Vi på Sitesupport hjälper gärna till med kontinuerlig övervakning och uppdatering av dina WordPress-tillägg för optimal säkerhet.

Använder du Booking Calendar?

Kör ett gratis test och se om din hemsida är påverkad av dessa sårbarheter.

Testa din hemsida

Alla kända sårbarheter

Medel 2026-02-17 CVE-2026-2230

Booking Calendar <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification

Påverkade versioner: <= 10.14.14

Medel 2026-01-30 CVE-2026-1431

Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure

Påverkade versioner: <= 10.14.13

Medel 2026-01-15 CVE-2025-14982

Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure

Påverkade versioner: <= 10.14.11

Medel 2026-01-08 CVE-2025-14146

Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure

Påverkade versioner: <= 10.14.10

Hög 2025-12-15 CVE-2025-14383

Booking Calendar <= 10.14.8 - Unauthenticated SQL Injection via dates_to_check

Påverkade versioner: <= 10.14.8

Medel 2025-12-04 CVE-2025-12804

Booking Calendar <= 10.14.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via bookingcalendar Shortcode

Påverkade versioner: <= 10.14.6

Medel 2025-11-13 CVE-2025-64381

Booking Calendar <= 10.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Påverkade versioner: <= 10.14.7

Medel 2025-08-27 CVE-2025-9346

Booking Calendar <= 10.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Påverkade versioner: <= 10.14.1

Medel 2025-05-16 CVE-2025-4669

Booking Calendar <= 10.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpbc Shortcode

Påverkade versioner: <= 10.11.1

Hög 2022-04-11 CVE-2022-1006

CVE-2022-1006: The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL...

Påverkade versioner: < 1.7.1

The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks

Hög 2022-04-11 CVE-2022-0920

CVE-2022-0920: The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer...

Påverkade versioner: < 7.6.3

The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data

Medel 2022-04-11 CVE-2022-0919

CVE-2022-0919: The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well ...

Påverkade versioner: < 7.6.3

The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings,...

Hög 2022-04-04 CVE-2022-0709

CVE-2022-0709: The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticate...

Påverkade versioner: < 1.5.29

The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive...

Medel 2022-04-04 CVE-2022-0825

CVE-2022-0825: The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive inform...

Påverkade versioner: < 1.0.49

The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and p...

Medel 2022-03-28 CVE-2022-0720

CVE-2022-0720: The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information a...

Påverkade versioner: < 1.0.47

The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone nu...

Medel 2022-03-23 CVE-2022-0834

CVE-2022-0834: The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/Add...

Påverkade versioner: <= 1.0.46

The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to...

Kritisk 2022-03-21 CVE-2022-0739

CVE-2022-0739: The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_s...

Påverkade versioner: < 1.0.11

The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated use...

Kritisk 2022-03-21 CVE-2022-0694

CVE-2022-0694: The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action ...

Påverkade versioner: < 1.7.0

The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated...

Medel 2022-03-07 CVE-2022-0389

CVE-2022-0389: The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilt...

Påverkade versioner: < 1.1.63

The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Medel 2022-01-17 CVE-2021-25061

CVE-2021-25061: The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page.

Påverkade versioner: < 2.0.15

The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page.

Medel 2022-01-03 CVE-2021-25040

CVE-2021-25040: The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Påverkade versioner: < 8.9.2

The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Medel 2021-12-06 CVE-2021-24930

CVE-2021-24930: The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-S...

Påverkade versioner: < 20.3.1

The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue

Hög 2021-11-08 CVE-2021-24835

CVE-2021-24835: The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivend...

Påverkade versioner: < 6.5.12

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Market...

Medel 2021-11-08 CVE-2021-24646

CVE-2021-24646: The Booking.com Banner Creator WordPress plugin before 1.4.3 does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks ...

Påverkade versioner: < 1.4.3

The Booking.com Banner Creator WordPress plugin before 1.4.3 does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowe...

Medel 2021-11-08 CVE-2021-24645

CVE-2021-24645: The Booking.com Product Helper WordPress plugin before 1.0.2 does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site ...

Påverkade versioner: < 1.0.2

The Booking.com Product Helper WordPress plugin before 1.0.2 does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capab...

Medel 2021-10-11 CVE-2021-24712

CVE-2021-24712: The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars.

Påverkade versioner: < 1.3.17

The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars.

Medel 2021-10-04 CVE-2021-24673

CVE-2021-24673: The Appointment Hour Booking WordPress plugin before 1.3.16 does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even whe...

Påverkade versioner: < 1.3.16

The Appointment Hour Booking WordPress plugin before 1.3.16 does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Medel 2021-07-12 CVE-2021-24429

CVE-2021-24429: The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set...

Påverkade versioner: < 6.3.1

The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site S...

Medel 2021-06-01 CVE-2021-24318

CVE-2021-24318: The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/pos...

Påverkade versioner: < 1.6.11

The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.

Medel 2021-06-01 CVE-2021-24317

CVE-2021-24317: The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues

Påverkade versioner: < 1.6.11

The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues

Medel 2021-04-22 CVE-2021-24232

CVE-2021-24232: The Advanced Booking Calendar WordPress plugin before 1.6.8 does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting ...

Påverkade versioner: < 1.6.8

The Advanced Booking Calendar WordPress plugin before 1.6.8 does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue

Medel 2021-04-12 CVE-2021-24225

CVE-2021-24225: The Advanced Booking Calendar WordPress plugin before 1.6.7 did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue

Påverkade versioner: < 1.6.7

The Advanced Booking Calendar WordPress plugin before 1.6.7 did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue

Medel 2020-08-26 CVE-2020-24313

CVE-2020-24313: Etoile Web Design Ultimate Appointment Booking & Scheduling WordPress Plugin v1.1.9 and lower does not sanitize the value of the "Appointment_ID" GET parameter before echoing it back out inside an ...

Påverkade versioner: <= 1.1.9

Etoile Web Design Ultimate Appointment Booking & Scheduling WordPress Plugin v1.1.9 and lower does not sanitize the value of the "Appointment_ID" GET parameter before echoing it back out inside an input tag. This results in a reflected XSS vulnerabil...

Medel 2020-07-05 CVE-2020-15536

CVE-2020-15536: An issue was discovered in the bestsoftinc Hotel Booking System Pro plugin through 1.1 for WordPress. Persistent XSS can occur via any of the registration fields.

Påverkade versioner: <= 1.1

An issue was discovered in the bestsoftinc Hotel Booking System Pro plugin through 1.1 for WordPress. Persistent XSS can occur via any of the registration fields.

Hög 2020-03-04 CVE-2020-9372

CVE-2020-9372: The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via...

Påverkade versioner: < 1.3.35

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cp...

Medel 2020-03-04 CVE-2020-9371

CVE-2020-9371: Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaS...

Påverkade versioner: < 1.3.35

Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.

Hög 2019-10-10 CVE-2015-9460

CVE-2015-9460: The booking-system plugin before 2.1 for WordPress has DOPBSPBackEndTranslation::display SQL injection via the language parameter.

Påverkade versioner: < 2.1

The booking-system plugin before 2.1 for WordPress has DOPBSPBackEndTranslation::display SQL injection via the language parameter.

Medel 2019-08-22 CVE-2013-7480

CVE-2013-7480: The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas.

Påverkade versioner: < 5.3.6.1

The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas.

Medel 2019-08-22 CVE-2013-7477

CVE-2013-7477: The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form.

Påverkade versioner: < 5.5.2

The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form.

Medel 2019-08-21 CVE-2016-10908

CVE-2016-10908: The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.

Påverkade versioner: < 1.0.24

The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.

Hög 2019-08-21 CVE-2016-10909

CVE-2016-10909: The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.

Påverkade versioner: < 1.0.24

The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.

Medel 2019-08-21 CVE-2017-18555

CVE-2017-18555: The booking-sms plugin before 1.1.0 for WordPress has XSS.

Påverkade versioner: < 1.1.0

The booking-sms plugin before 1.1.0 for WordPress has XSS.

Medel 2019-08-09 CVE-2019-14791

CVE-2019-14791: The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter.

Påverkade versioner: all

The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter.

Medel 2019-07-11 CVE-2019-13505

CVE-2019-13505: The Appointment Hour Booking plugin 1.1.44 for WordPress allows XSS via the E-mail field, as demonstrated by email_1.

Påverkade versioner: all

The Appointment Hour Booking plugin 1.1.44 for WordPress allows XSS via the E-mail field, as demonstrated by email_1.

Hög 2019-05-20 CVE-2019-12239

CVE-2019-12239: The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.

Påverkade versioner: < 1.5.2

The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.

Medel 2019-03-21 CVE-2018-20556

CVE-2018-20556: SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.

Påverkade versioner: all

SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.

Medel 2018-06-13 CVE-2018-10363

CVE-2018-10363: An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Multiple parameters allow remote attackers to manipulate the values to change data...

Påverkade versioner: all

An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Multiple parameters allow remote attackers to manipulate the values to change data such as prices.

Medel 2018-02-11 CVE-2018-6891

CVE-2018-6891: Bookly #1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQuery.ajax request to ng-payment_details_dialog.js.

Påverkade versioner: < 14.5

Bookly #1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQuery.ajax request to ng-payment_details_dialog.js.

Medel 2018-01-13 CVE-2018-5673

CVE-2018-5673: An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.

Påverkade versioner: all

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.

Låg 2018-01-13 CVE-2018-5672

CVE-2018-5672: An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label] parameter.

Påverkade versioner: all

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label] parameter.

Låg 2018-01-13 CVE-2018-5671

CVE-2018-5671: An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent] parameter.

Påverkade versioner: all

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent] parameter.

Låg 2018-01-13 CVE-2018-5670

CVE-2018-5670: An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.

Påverkade versioner: all

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.

Medel 2015-09-29 CVE-2015-7320

CVE-2015-7320: Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attacker...

Påverkade versioner: <= 1.1.7

Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecif...

Hög 2015-09-29 CVE-2015-7319

CVE-2015-7319: SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary ...

Påverkade versioner: <= 1.1.7

SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to updat...

Medel 2014-07-02 CVE-2014-4547

CVE-2014-4547: Multiple cross-site scripting (XSS) vulnerabilities in templates/default/index_ajax.php in the Rezgo Online Booking plugin before 1.8.2 for WordPress allow remote attackers to inject arbitrary web ...

Påverkade versioner: <= 1.8

Multiple cross-site scripting (XSS) vulnerabilities in templates/default/index_ajax.php in the Rezgo Online Booking plugin before 1.8.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) tags or (2) search_for par...

Medel 2014-05-22 CVE-2014-3210

CVE-2014-3210: SQL injection vulnerability in dopbs-backend-forms.php in the Booking System (Booking Calendar) plugin before 1.3 for WordPress allows remote authenticated users to execute arbitrary SQL commands v...

Påverkade versioner: <= 1.2

SQL injection vulnerability in dopbs-backend-forms.php in the Booking System (Booking Calendar) plugin before 1.3 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the booking_form_id parameter to wp-admin/admin-aj...

Så skyddar du din sajt

Sårbarheter i tillägg är den vanligaste attackytan för WordPress-sajter. Det bästa skyddet är att vara proaktiv — här är tre konkreta steg.

Håll tillägget uppdaterat

De flesta sårbarheter i Booking Calendar åtgärdas snabbt av utvecklarna. Uppdatera alltid till senaste versionen.

Ta bort oanvända tillägg

Varje tillägg är en potentiell attackyta. Avinstallera det du inte aktivt använder.

Bevaka automatiskt

Med löpande övervakning upptäcker du problem innan de blir allvarliga.

Vill du slippa hålla koll själv? Med ett supportavtal från Sitesupport sköter vi uppdateringar och säkerhet åt dig.

Vanliga frågor om Booking Calendar

Booking Calendar har 56 kända sårbarheter, varav 12 med hög eller kritisk allvarlighetsgrad. Det betyder inte nödvändigtvis att tillägget är osäkert — de flesta sårbarheter åtgärdas i nya versioner. Det viktigaste är att alltid köra den senaste versionen.

Det enklaste sättet är att köra ett gratis test av din hemsida på sitesupport.co. Testet kontrollerar vilka tillägg du använder och vilka versioner som är installerade, och jämför det mot kända sårbarheter.

Uppdatera till den senaste versionen så snart som möjligt. Om det inte finns en uppdatering som åtgärdar problemet bör du överväga att tillfälligt inaktivera tillägget, särskilt om sårbarheten har kritisk eller hög allvarlighetsgrad.

Booking Calendar har över 50 000 aktiva installationer på WordPress.org och ett betyg på 4.7 av 5. Populära tillägg har generellt bättre säkerhetsrutiner tack vare större community och fler ögon på koden.