CVE-2025-14146

MEDIUM

Booking Calendar <10.14.10 - Info Disclosure

Title source: llm

Description

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details.

References (6)

Core 6

Core References

Product

https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/lib/wpbc-ajax.php#L29

Product

https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/timeline/v2/wpbc-class-timeline_v2.php#L3187

Product

https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/wpbc-activation.php#L572

Product

https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/includes/_functions/nonce_func.php#L33

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3434934%40booking%2Ftrunk&old=3432649%40booking%2Ftrunk&sfp_email=&sfph_mail=#file2

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/281a1c0e-bbd8-4cf6-94ca-b888c7d7e3af?source=cve

Scores

CVSS v3 5.3

EPSS 0.0034

EPSS Percentile 25.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

wpdevelop/Booking Calendar < 10.14.10

Published Jan 09, 2026

Tracked Since Feb 18, 2026