CVE-2026-2230: CWE-639 Authorization Bypass Through User-Controlled Key in wpdevelop Booking Calendar
The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user.
AI Analysis
Technical Summary
CVE-2026-2230 is an insecure direct object reference vulnerability in the Booking Calendar WordPress plugin (up to version 10.14.14). The issue is due to insufficient validation of a user-controlled key in the handle_ajax_save function, allowing authenticated users with certain permissions to alter other users' plugin settings. This authorization bypass can affect booking calendar display configurations, potentially disrupting user experience. The vulnerability requires at least Subscriber-level access with booking permissions and does not impact confidentiality or availability, only integrity of settings.
Potential Impact
An authenticated attacker with Subscriber-level access and granted booking permissions can modify other users' booking calendar settings. This may disrupt the booking calendar functionality for those users but does not lead to data confidentiality loss or system availability impact. The integrity of plugin settings is compromised, which could affect user experience and booking operations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict booking permissions carefully and limit Subscriber-level users' capabilities to prevent unauthorized modifications. Monitor plugin updates from wpdevelop for a security patch addressing this vulnerability.
CVE-2026-2230: CWE-639 Authorization Bypass Through User-Controlled Key in wpdevelop Booking Calendar
Description
The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2230 is an insecure direct object reference vulnerability in the Booking Calendar WordPress plugin (up to version 10.14.14). The issue is due to insufficient validation of a user-controlled key in the handle_ajax_save function, allowing authenticated users with certain permissions to alter other users' plugin settings. This authorization bypass can affect booking calendar display configurations, potentially disrupting user experience. The vulnerability requires at least Subscriber-level access with booking permissions and does not impact confidentiality or availability, only integrity of settings.
Potential Impact
An authenticated attacker with Subscriber-level access and granted booking permissions can modify other users' booking calendar settings. This may disrupt the booking calendar functionality for those users but does not lead to data confidentiality loss or system availability impact. The integrity of plugin settings is compromised, which could affect user experience and booking operations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict booking permissions carefully and limit Subscriber-level users' capabilities to prevent unauthorized modifications. Monitor plugin updates from wpdevelop for a security patch addressing this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-08T18:51:36.435Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6996fb478fb9188dea8c0328
Added to database: 2/19/2026, 12:00:07 PM
Last enriched: 4/9/2026, 6:38:48 PM
Last updated: 5/22/2026, 5:58:50 PM
Views: 108
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.