Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
4 vulnerabilities found for bookit by stylemixthemes
CVE-2023-50852 (GCVE-0-2023-50852)
Vulnerability from nvd – Published: 2023-12-28 11:30 – Updated: 2024-08-02 22:23
VLAI?
Title
WordPress BookIt Plugin <= 2.4.3 is vulnerable to SQL Injection
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Booking Calendar | Appointment Booking | BookIt.This issue affects Booking Calendar | Appointment Booking | BookIt: from n/a through 2.4.3.
Severity ?
7.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | Booking Calendar | Appointment Booking | BookIt |
Affected:
n/a , ≤ 2.4.3
(custom)
|
Credits
Muhammad Daffa (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:23:43.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bookit/wordpress-bookit-plugin-2-4-3-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "bookit",
"product": "Booking Calendar | Appointment Booking | BookIt",
"vendor": "StylemixThemes",
"versions": [
{
"changes": [
{
"at": "2.4.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.4.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Muhammad Daffa (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in StylemixThemes Booking Calendar | Appointment Booking | BookIt.\u003cp\u003eThis issue affects Booking Calendar | Appointment Booking | BookIt: from n/a through 2.4.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in StylemixThemes Booking Calendar | Appointment Booking | BookIt.This issue affects Booking Calendar | Appointment Booking | BookIt: from n/a through 2.4.3.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T11:30:57.071Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/bookit/wordpress-bookit-plugin-2-4-3-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;2.4.4 or a higher version."
}
],
"value": "Update to\u00a02.4.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress BookIt Plugin \u003c= 2.4.3 is vulnerable to SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-50852",
"datePublished": "2023-12-28T11:30:57.071Z",
"dateReserved": "2023-12-14T17:19:16.268Z",
"dateUpdated": "2024-08-02T22:23:43.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2834 (GCVE-0-2023-2834)
Vulnerability from nvd – Published: 2023-06-30 01:56 – Updated: 2026-04-08 17:24
VLAI?
Title
BookIt <= 2.3.7 - Authentication Bypass
Summary
The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
Severity ?
9.8 (Critical)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| stellarwp | Bookit — Booking & Appointment Calendar |
Affected:
0 , ≤ 2.3.7
(semver)
|
Credits
István Márton
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:06.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfd32e46-a4fc-4c10-b546-9f9da75db791?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/bookit/tags/2.3.6/includes/classes/CustomerController.php#L27"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/bookit/tags/2.3.6/includes/classes/database/Customers.php#L63"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2919529/bookit"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2925153/bookit"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2023/06/stylemixthemes-addresses-authentication-bypass-vulnerability-in-bookit-wordpress-plugin/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lana.codes/lanavdb/0dea1346-fd60-4338-8af6-6f89c29075d4/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2834",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T16:12:04.040827Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T16:12:18.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bookit \u2014 Booking \u0026 Appointment Calendar",
"vendor": "stellarwp",
"versions": [
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:43.829Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfd32e46-a4fc-4c10-b546-9f9da75db791?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bookit/tags/2.3.6/includes/classes/CustomerController.php#L27"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bookit/tags/2.3.6/includes/classes/database/Customers.php#L63"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2919529/bookit"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2925153/bookit"
},
{
"url": "https://www.wordfence.com/blog/2023/06/stylemixthemes-addresses-authentication-bypass-vulnerability-in-bookit-wordpress-plugin/"
},
{
"url": "https://lana.codes/lanavdb/0dea1346-fd60-4338-8af6-6f89c29075d4/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-22T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-22T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-06-20T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BookIt \u003c= 2.3.7 - Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2834",
"datePublished": "2023-06-30T01:56:17.606Z",
"dateReserved": "2023-05-22T10:35:10.936Z",
"dateUpdated": "2026-04-08T17:24:43.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-50852 (GCVE-0-2023-50852)
Vulnerability from cvelistv5 – Published: 2023-12-28 11:30 – Updated: 2024-08-02 22:23
VLAI?
Title
WordPress BookIt Plugin <= 2.4.3 is vulnerable to SQL Injection
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Booking Calendar | Appointment Booking | BookIt.This issue affects Booking Calendar | Appointment Booking | BookIt: from n/a through 2.4.3.
Severity ?
7.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| StylemixThemes | Booking Calendar | Appointment Booking | BookIt |
Affected:
n/a , ≤ 2.4.3
(custom)
|
Credits
Muhammad Daffa (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:23:43.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/bookit/wordpress-bookit-plugin-2-4-3-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "bookit",
"product": "Booking Calendar | Appointment Booking | BookIt",
"vendor": "StylemixThemes",
"versions": [
{
"changes": [
{
"at": "2.4.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.4.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Muhammad Daffa (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in StylemixThemes Booking Calendar | Appointment Booking | BookIt.\u003cp\u003eThis issue affects Booking Calendar | Appointment Booking | BookIt: from n/a through 2.4.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in StylemixThemes Booking Calendar | Appointment Booking | BookIt.This issue affects Booking Calendar | Appointment Booking | BookIt: from n/a through 2.4.3.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T11:30:57.071Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/bookit/wordpress-bookit-plugin-2-4-3-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;2.4.4 or a higher version."
}
],
"value": "Update to\u00a02.4.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress BookIt Plugin \u003c= 2.4.3 is vulnerable to SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-50852",
"datePublished": "2023-12-28T11:30:57.071Z",
"dateReserved": "2023-12-14T17:19:16.268Z",
"dateUpdated": "2024-08-02T22:23:43.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2834 (GCVE-0-2023-2834)
Vulnerability from cvelistv5 – Published: 2023-06-30 01:56 – Updated: 2026-04-08 17:24
VLAI?
Title
BookIt <= 2.3.7 - Authentication Bypass
Summary
The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
Severity ?
9.8 (Critical)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| stellarwp | Bookit — Booking & Appointment Calendar |
Affected:
0 , ≤ 2.3.7
(semver)
|
Credits
István Márton
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:06.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfd32e46-a4fc-4c10-b546-9f9da75db791?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/bookit/tags/2.3.6/includes/classes/CustomerController.php#L27"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/bookit/tags/2.3.6/includes/classes/database/Customers.php#L63"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2919529/bookit"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2925153/bookit"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2023/06/stylemixthemes-addresses-authentication-bypass-vulnerability-in-bookit-wordpress-plugin/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lana.codes/lanavdb/0dea1346-fd60-4338-8af6-6f89c29075d4/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2834",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T16:12:04.040827Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T16:12:18.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bookit \u2014 Booking \u0026 Appointment Calendar",
"vendor": "stellarwp",
"versions": [
{
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:43.829Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfd32e46-a4fc-4c10-b546-9f9da75db791?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bookit/tags/2.3.6/includes/classes/CustomerController.php#L27"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bookit/tags/2.3.6/includes/classes/database/Customers.php#L63"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2919529/bookit"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2925153/bookit"
},
{
"url": "https://www.wordfence.com/blog/2023/06/stylemixthemes-addresses-authentication-bypass-vulnerability-in-bookit-wordpress-plugin/"
},
{
"url": "https://lana.codes/lanavdb/0dea1346-fd60-4338-8af6-6f89c29075d4/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-22T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-22T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-06-20T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "BookIt \u003c= 2.3.7 - Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2834",
"datePublished": "2023-06-30T01:56:17.606Z",
"dateReserved": "2023-05-22T10:35:10.936Z",
"dateUpdated": "2026-04-08T17:24:43.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}