The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of its booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Booking_package | Saasproject | * | 1.5.29 (excluding) |