SQL Injection Vulnerability in WordPress Booking Calendar Contact Form by WordPress
CVE-2016-20069

8.8HIGH

Key Information:

Vendor

WordPress
Status
Booking Calendar Contact Form
Vendor
CVE Published:
15 June 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2016-20069?

The WordPress Booking Calendar Contact Form version 1.0.23 is vulnerable to an unauthenticated blind SQL injection flaw. This vulnerability arises from the inadequate sanitization of the 'calendar' parameter in the shortcode function, allowing malicious actors to send crafted input and execute arbitrary SQL queries. Successfully exploiting this vulnerability could result in unauthorized access to sensitive data within the database.

Affected Version(s)

Booking Calendar Contact Form 0 <= 1.0.23

References

https://www.exploit-db.com/exploits/39423
exploit
http://wordpress.dwbooster.com/
product
https://www.vulncheck.com/advisories/wordpress-booking-ca...
third-party-advisory

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
.