CVE-2016-20068 PUBLISHED

WordPress Booking Calendar Contact Form 1.0.23 SQL Injection

Assigner: VulnCheck
Reserved: 14.06.2026 Published: 15.06.2026 Updated: 15.06.2026

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.8

Product Status

Vendor dwbooster
Product Booking Calendar Contact Form
Versions
  • affected from 0 to 1.0.23 (incl.)

Credits

  • Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ] finder

References

Problem Types

  • Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE