CVE-2016-20068
Description
WordPress Booking Calendar Contact Form <=1.0.23 is vulnerable to unauthenticated blind SQL injection via the 'id' parameter, allowing remote data extraction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Booking Calendar Contact Form <=1.0.23 is vulnerable to unauthenticated blind SQL injection via the 'id' parameter, allowing remote data extraction.
Vulnerability
The WordPress Booking Calendar Contact Form plugin version 1.0.23 and earlier is vulnerable to an unauthenticated blind SQL injection. The vulnerability resides in the dex_bccf_get_option function, which uses the id parameter unsanitized, as demonstrated in the dex_bccf_calendar_load2 function where $calid is derived from $_GET["id"] and passed to the SQL query. This allows an attacker to inject arbitrary SQL commands. [1][3]
Exploitation
An attacker can exploit this by sending a crafted HTTP request to the admin-ajax.php endpoint with the action parameter set to dex_bccf_calendar_ajaxevent and malicious SQL code in the id parameter. No authentication or user interaction is required. The attack is blind, meaning the attacker must infer results through timing or other means. [1]
Impact
Successful exploitation allows an unauthenticated attacker to extract sensitive information from the WordPress database, including user credentials, email addresses, and other data. The attacker can read arbitrary database content but cannot modify or delete data due to the blind nature of the injection. [1][3]
Mitigation
As of the available references, no patched version of the plugin has been released. Users should disable the plugin until a fix is available, or implement a web application firewall (WAF) rule to block malicious 'id' parameters. [1][3]
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0.23
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the 'id' parameter and shortcode 'calendar' attribute before they are used in SQL queries."
Attack vector
An unauthenticated attacker sends a crafted HTTP GET request to `/wp-admin/admin-ajax.php` with `action=dex_bccf_calendar_ajaxevent`, `dex_bccf_calendar_load2=list`, and a malicious SQL payload in the `id` parameter [ref_id=1]. The plugin fails to sanitize this input before using it in a SQL query, enabling blind SQL injection. The attacker can extract arbitrary database contents by observing boolean or time-based responses (e.g., `id=1 and sleep(10)`). A second vector requires an authenticated user with editor/author privileges to embed a malicious shortcode like `[CP_BCCF_FORM calendar=-1 or sleep(10)#]` in a post [ref_id=1].
Affected code
The vulnerability resides in the `dex_bccf_calendar_load2` function of the Booking Calendar Contact Form plugin. This function unsafely assigns the `id` GET parameter to the constant `CP_BCCF_CALENDAR_ID` without sanitization, and that constant is later used in a SQL query inside `dex_bccf_get_option` [ref_id=1]. A second injection point exists in the shortcode handler `dex_bccf_filter_content`, where the `calendar` attribute is assigned to `DEX_BCCF_CALENDAR_FIXED_ID` and then used unsanitized in `dex_bccf_get_public_form` [ref_id=1].
What the fix does
The advisory states that the vendor released version 1.0.24 on 2016-02-08 to fix the issue [ref_id=1]. The patch does not appear in the bundle, but the fix would require sanitizing or parameterizing the `id` GET parameter before it is assigned to `CP_BCCF_CALENDAR_ID` and used in SQL queries, as well as sanitizing the `calendar` shortcode attribute before it is used in `dex_bccf_get_public_form`. Without these changes, an attacker can inject arbitrary SQL commands.
Preconditions
- configThe WordPress instance must have the Booking Calendar Contact Form plugin version 1.0.23 or earlier installed and activated.
- authNo authentication is required for the admin-ajax.php vector; the shortcode vector requires an authenticated user with at least editor/author role.
- networkThe attacker must be able to send HTTP requests to the WordPress admin-ajax.php endpoint (network reachable).
- inputThe attacker supplies a malicious SQL payload in the 'id' GET parameter or in the 'calendar' shortcode attribute.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.