CVE-2016-20069 | WordPress Booking Calendar Contact Form 1.0.23 contains an u… | CVSS 8.2 HIGH

Description

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.

Metadata

CVE ID: CVE-2016-20069
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-14 18:27 UTC
Published: 2026-06-15 12:00 UTC
Last updated: 2026-06-15 19:24 UTC
Primary CWE: CWE-89
Improper Neutralization of Special Elements used in an SQL C…
Vendor / Product: dwbooster / Booking Calendar Contact Form
Sources: cve.org · NVD

Severity & Metrics

8.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
dwbooster	Booking Calendar Contact Form	—	0 ≤ 1.0.23

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.8	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
8.2	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References (3)

ExploitDB-39423 https://www.exploit-db.com/exploits/39423
Official Product Homepage http://wordpress.dwbooster.com/
VulnCheck Advisory: WordPress Booking Calendar Contact Form 1.0.23 SQL Injection https://www.vulncheck.com/advisories/wordpress-booking-calendar-contact-form-sql-injection-2