The Booking Calendar plugin for WordPress, developed by wpdevelop, contains a vulnerability identified as CVE-2026-1431, categorized under CWE-862 (Missing Authorization). This vulnerability exists in the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function, which lacks proper capability checks to verify if the requesting user is authorized to access booking information. As a result, unauthenticated attackers can remotely invoke this AJAX function to retrieve sensitive booking data, including customer names, phone numbers, and email addresses. The vulnerability affects all versions up to and including 10.14.13, indicating a widespread exposure among users of this plugin. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality only (C:L), without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability's nature makes it a potential target for data harvesting and privacy violations. The Booking Calendar plugin is commonly used by businesses to manage appointments and reservations, making the exposed data valuable for identity theft, phishing, or spam campaigns. The missing authorization check represents a fundamental security flaw that undermines the plugin's access control mechanisms.

For European organizations, this vulnerability poses a significant risk to customer privacy and data protection obligations under regulations such as the GDPR. Unauthorized disclosure of personal data like names, phone numbers, and emails can lead to reputational damage, regulatory fines, and loss of customer trust. Organizations in sectors relying heavily on booking systems—such as hospitality, healthcare, and professional services—are particularly vulnerable. The breach of confidentiality could facilitate targeted phishing attacks or identity theft. Although the vulnerability does not affect system integrity or availability, the exposure of personal data alone is sufficient to cause substantial harm. Additionally, organizations may face legal consequences if they fail to adequately protect personal data. The ease of exploitation without authentication increases the likelihood of automated scanning and data scraping by malicious actors. This could lead to large-scale data leaks affecting multiple organizations using the plugin across Europe.

Organizations should immediately inventory their WordPress sites to identify installations of the Booking Calendar plugin and verify the version in use. Since no official patch is currently linked, administrators should monitor wpdevelop’s official channels for updates and apply patches promptly once released. In the interim, restricting access to the vulnerable AJAX endpoint (wpbc_ajax_WPBC_FLEXTIMELINE_NAV) via web application firewalls (WAFs) or server-level access controls can reduce exposure. Implementing IP whitelisting or requiring authentication for AJAX requests related to booking data can mitigate unauthorized access. Regularly auditing plugin permissions and capabilities to ensure proper authorization checks are enforced is recommended. Organizations should also monitor logs for unusual access patterns to the plugin’s AJAX endpoints and conduct penetration testing to verify the effectiveness of mitigations. Finally, informing customers about potential data exposure and reinforcing phishing awareness can reduce downstream risks.