CVE-2025-14146

Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure

CVSS 5.3 MEDIUMEPSS 0.3%CWE-862

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

09 Jan 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

wpdevelop · Booking Calendar

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/lib/wpbc-ajax.php#L29 https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/timeline/v2/wpbc-class-timeline_v2.php#L3187 https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/wpbc-activation.php#L572 https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/includes/_functions/nonce_func.php#L33 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3434934%40booking%2Ftrunk&old=3432649%40booking%2Ftrunk&sfp_email=&sfph_mail=#file2 https://www.wordfence.com/threat-intel/vulnerabilities/id/281a1c0e-bbd8-4cf6-94ca-b888c7d7e3af?source=cve