CVE-2016-20068 | WordPress Booking Calendar Contact Form version 1.0.23 conta… | CVSS 8.2 HIGH

Description

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information.

Metadata

CVE ID: CVE-2016-20068
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-14 18:27 UTC
Published: 2026-06-15 12:02 UTC
Last updated: 2026-06-15 16:14 UTC
Primary CWE: CWE-89
Improper Neutralization of Special Elements used in an SQL C…
Vendor / Product: dwbooster / Booking Calendar Contact Form
Sources: cve.org · NVD

Severity & Metrics

8.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
dwbooster	Booking Calendar Contact Form	—	0 ≤ 1.0.23

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.8	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
8.2	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References (3)

ExploitDB-39423 https://www.exploit-db.com/exploits/39423
Official Product Homepage http://wordpress.dwbooster.com/
VulnCheck Advisory: WordPress Booking Calendar Contact Form 1.0.23 SQL Injection https://www.vulncheck.com/advisories/wordpress-booking-calendar-contact-form-sql-injection