Vulnerability Database

317,182

Total vulnerabilities in the database

CVE-2025-14146

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the WPBC_FLEXTIMELINE_NAV AJAX action. This is due to the nonce verification being conditionally disabled by default (booking_is_nonce_at_front_end option is 'Off' by default). When the booking_is_show_popover_in_timeline_front_end option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details.

Published: Jan 9, 2026
Updated: Jan 10, 2026
CVE: CVE-2025-14146
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-862

Affected Software
References

No affected software listed.

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo