On one of our websites and in third-party data we monitor, we saw what appeared to be a hacker probing for usage the WordPress plugin Booking Calendar today. In the past year, there was a serious vulnerability fixed in the plugin and lesser security issues fixed in the plugin. Those could possibly explain a hacker’s interest in the plugin, especially the serious vulnerability fixed. To make sure there wasn’t something still in the plugin that might be targeted, we did a quick check of the plugin for security issues that are commonly targeted by hackers. What we found was that the plugin still lacks basic security and that at least allows a hacker to easily gain access to all the customer data submitted through the plugin.
We would recommend avoiding the plugin unless a thorough security review, like the ones we do, is done and all the issues found are addressed. [Read more]