The Booking Calendar plugin for WordPress contains an Insecure Direct Object Reference in the handle_ajax_save function. Because the code fails to validate a user‑controlled key, an attacker who has a Subscriber role (or higher) and booking permissions granted by an Administrator can change the plugin settings of any other user. This allows the attacker to disrupt the target user’s booking calendar functionality, potentially causing scheduling errors or loss of data. The weakness is a classic example of privilege escalation, classified as CWE‑639.

WordPress sites that have the Booking Calendar plugin (wpdevelop:Booking Calendar) version 10.14.14 or earlier. The vulnerability applies to all plugin installations with the default AJAX endpoint enabled and to any user who has been granted booking permissions by an Administrator.

According to the CVSS score of 4.3 the vulnerability is considered moderate, and the EPSS score of less than 1% indicates a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers require valid authenticated access; the attack can be performed from within the WordPress site by sending a crafted AJAX request to the vulnerable endpoint, bypassing the missing key validation. The moderate score reflects the limited scope, affecting only the targeted user’s plugin configuration, and the low exploitation probability reduces immediate urgency but still warrants prompt remediation.