CVE-2026-6810 | THREATINT

Description

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.

PUBLISHED Reserved 2026-04-21 | Published 2026-04-24 | Updated 2026-04-24 | Assigner Wordfence

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

Any version

affected

Timeline

2026-04-21:	Vendor Notified
2026-04-23:	Disclosed

Credits

Md. Moniruzzaman Prodhan finder

References

www.wordfence.com/...-239d-4b83-ab0c-ad165485498d?source=cve

plugins.trac.wordpress.org/...dmin_int_calendar_list.inc.php

plugins.trac.wordpress.org/...dmin_int_calendar_list.inc.php

plugins.trac.wordpress.org/...dmin_int_calendar_list.inc.php

plugins.trac.wordpress.org/...dmin_int_calendar_list.inc.php

plugins.trac.wordpress.org/...ontact-form/trunk/dex_bccf.php

plugins.trac.wordpress.org/...-form/tags/1.2.63/dex_bccf.php

plugins.trac.wordpress.org/...act-form&sfp_email=&sfph_mail=

cve.org (CVE-2026-6810)

nvd.nist.gov (CVE-2026-6810)

Download JSON

help @ threatint.eu