Attack Vectors

Booking Calendar (WordPress plugin slug: booking) is affected by a Medium-severity issue (CVSS 4.3) identified as CVE-2026-2230. The vulnerability is an Insecure Direct Object Reference (IDOR) in versions up to and including 10.14.14.

An attacker must be authenticated (Subscriber-level or higher) and also have booking permissions granted by an Administrator. Under those conditions, the attacker can abuse the plugin’s AJAX save behavior (via the handle_ajax_save pathway) to modify other users’ Booking Calendar plugin settings by supplying a user-controlled key that is not properly validated.

Security Weakness

The core weakness is missing validation on a user-controlled identifier used when saving settings. In practical terms, the system trusts that the request is targeting the correct user’s settings, rather than verifying that the requester is allowed to change that specific user’s Booking Calendar configuration.

This is not a full site takeover scenario, but it is a permission and integrity problem: authenticated users with the right plugin permissions can potentially alter how other users’ booking calendars behave and appear, without legitimate authorization to do so.

Technical or Business Impacts

Because the impact is primarily on settings integrity, organizations should think about this vulnerability in terms of operational disruption and business process reliability. Examples of likely outcomes include booking calendar display options being changed for a targeted user, which may disrupt that user’s workflow and interfere with booking calendar functionality.

For marketing directors and business leaders, the risk is that disrupted booking experiences can translate into lost conversions, missed appointments, increased support volume, and brand damage—especially if customers encounter inconsistent availability, confusing booking flows, or broken calendar views.

Remediation: Update Booking Calendar to 10.14.15 or a newer patched version. Also review who has booking permissions and keep Subscriber-level accounts tightly scoped to only what they need.

Similar Attacks

IDOR and “user can change another user’s settings” issues are a common class of WordPress plugin weakness. Public reporting on the topic and related vulnerabilities can be found from reputable sources such as:

OWASP: IDOR Prevention Cheat Sheet

Wordfence Blog (WordPress vulnerability research and real-world cases)