CVE-2025-14383 - Vulnerability Details

- Booking Calendar <= 10.14.8 - Unauthenticated SQL Injection via dates_to_check

Description

The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: 2025-12-15

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Booking Calendar WordPress plugin is vulnerable to a time‑based blind SQL Injection through the dates_to_check parameter. The attacker can insert additional SQL statements into the existing query because user input is not properly escaped, allowing extraction of sensitive database contents. The primarily affected data is the site database, and no direct system compromise or code execution is described in the advisory, but unauthorized read access to confidential information is possible.

Affected Systems

Any WordPress website that has the Booking Calendar plugin installed, specifically versions 10.14.8 and all earlier releases from the wpdevelop developers. The vulnerability exists in every installation that has not upgraded beyond 10.14.8.

Risk and Exploitability

The severity of the flaw is reflected in a CVSS score of 7.5. The EPSS score is below 1 %, indicating that while exploitation is likely low probability, the vulnerability is still dangerous. The vulnerability has not been listed in the CISA KEV catalog. The attack vector is remote, unauthenticated, and requires the attacker to send a crafted HTTP request to the plugin’s endpoint that accepts the dates_to_check parameter. Once in, the attacker can construct time‑based payloads to confirm and retrieve data from the database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpdevelop

Booking Calendar

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.14.8

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—
Wpdevelop	Booking Calendar	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest version of the Booking Calendar plugin (10.14.9 or newer).
If immediate update is not possible, disable or remove the dates_to_check functionality from the plugin by editing the relevant PHP file or applying a custom filter to sanitize the input and escape all database queries.
Perform a security audit of the WordPress site to ensure no other plugins contain similar unsanitized SQL parameters, and harden database permissions to limit data that can be exposed.

Generated by OpenCVE AI on April 21, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00093.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3416518/booking/trunk/includes/_capacity/capacity.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/790f93b0-eb69-473f-a726-bfe215f5d870?source=cve

History

Mon, 15 Dec 2025 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpdevelop Wpdevelop booking Calendar
Vendors & Products		Wordpress Wordpress wordpress Wpdevelop Wpdevelop booking Calendar

Mon, 15 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 15 Dec 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		Booking Calendar <= 10.14.8 - Unauthenticated SQL Injection via dates_to_check
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/changeset/3416518/booking/trunk/includes/_capacity/capacity.php https://www.wordfence.com/threat-intel/vulnerabilities/id/790f93b0-eb69-473f-a726-bfe215f5d870?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Wordpress Wordpress

Wpdevelop Booking Calendar

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-15T14:25:11.795Z

Updated: 2026-04-08T17:02:04.187Z

Reserved: 2025-12-09T19:34:02.844Z

Link: CVE-2025-14383

Vulnrichment

Updated: 2025-12-15T15:24:46.796Z

NVD

Status : Deferred

Published: 2025-12-15T15:15:49.347

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14383

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object