Unauthenticated SQL Injection in Booking Calendar Contact Form by WordPress
CVE-2016-20068

8.8HIGH

Key Information:

Vendor

WordPress
Status
Booking Calendar Contact Form
Vendor
CVE Published:
15 June 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2016-20068?

The Booking Calendar Contact Form version 1.0.23 for WordPress is susceptible to an unauthenticated blind SQL injection vulnerability. This flaw allows remote attackers to execute arbitrary SQL queries against the application. By manipulating the 'id' parameter in requests sent to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent', attackers can inject malicious SQL commands, potentially leading to unauthorized access to sensitive database information.

Affected Version(s)

Booking Calendar Contact Form 0 <= 1.0.23

References

https://www.exploit-db.com/exploits/39423
exploit
http://wordpress.dwbooster.com/
product
https://www.vulncheck.com/advisories/wordpress-booking-ca...
third-party-advisory

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
.