Insecure Direct Object Reference Vulnerability in Booking Calendar Contact Form for WordPress
CVE-2026-6810

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Booking Calendar Contact Form
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-6810?

The Booking Calendar Contact Form plugin for WordPress has a significant security flaw due to the lack of proper validation on a user-controlled key in the dex_bccf_admin_int_calendar_list.inc.php file. This vulnerability allows authenticated attackers with Subscriber-level access and above the ability to take over other users' calendars and access sensitive user data associated with those calendars. The vulnerability affects all versions of the plugin up to and including version 1.2.63, posing a serious risk to user privacy and data integrity.

Affected Version(s)

Booking Calendar Contact Form 0 <= 1.2.63

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/booking-calend...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

Md. Moniruzzaman Prodhan

CVE-2026-6810 Data

JSON