CVE-2016-20069 PUBLISHED

WordPress Booking Calendar Contact Form 1.0.23 SQL Injection

Assigner: VulnCheck
Reserved: 14.06.2026 Published: 15.06.2026 Updated: 15.06.2026

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.8

Product Status

Vendor dwbooster
Product Booking Calendar Contact Form
Versions
  • affected from 0 to 1.0.23 (incl.)

Credits

  • Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ] finder

References

Problem Types

  • Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE