Home

Description

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.

PUBLISHED Reserved 2026-06-14 | Published 2026-06-15 | Updated 2026-06-15 | Assigner VulnCheck




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Any version
affected

Credits

Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ] finder

References

www.exploit-db.com/exploits/39423 (ExploitDB-39423) exploit

wordpress.dwbooster.com/ (Official Product Homepage) product

www.vulncheck.com/...g-calendar-contact-form-sql-injection-2 (VulnCheck Advisory: WordPress Booking Calendar Contact Form 1.0.23 SQL Injection) third-party-advisory

cve.org (CVE-2016-20069)

nvd.nist.gov (CVE-2016-20069)

Download JSON