CVE-2016-20084 | WordPress appointment-booking-calendar 1.1.24 contains multi… | CVSS 7.2 HIGH

Description

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScript into the 'ict' and 'ics' options or the calendar 'name' parameter via GET requests to execute arbitrary scripts when the calendar is displayed or accessed in the administration interface.

Metadata

CVE ID: CVE-2016-20084
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-15 11:54 UTC
Published: 2026-06-15 12:00 UTC
Last updated: 2026-06-15 12:00 UTC
Primary CWE: CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product: dwbooster / Booking Calendar Contact
Sources: cve.org · NVD

Severity & Metrics

7.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
dwbooster	Booking Calendar Contact	—	0 ≤ 1.1.24

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (2)

Score	Severity	Version	Source	Vector
7.2	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
5.1	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References (3)

ExploitDB-39341 https://www.exploit-db.com/exploits/39341
Product Reference http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
VulnCheck Advisory: WordPress appointment-booking-calendar 1.1.24 Privilege Escalation XSS https://www.vulncheck.com/advisories/wordpress-appointment-booking-calendar-privilege-escalation-xss