We wanted to make you aware about multiple serious vulnerabilities in versions 2.4.3 and below of the Booked – Appointment Booking for WordPress plugin.
The patched version (2.4.4) of the Booked plugin can be downloaded free of charge for the next 28 days:
Importantly, this must be installed manually—do not attempt to update Booked via the WordPress back end or the Envato Market plugin. We recommend making a back up of your site before doing this, and confirming the update was successful by going to the Plugins screen and making sure the version number is 2.4.4.
If you have used this plugin in projects for clients, please help them to secure their sites as well.