CVE-2016-20069
Description
WordPress Booking Calendar Contact Form <=1.0.23 is vulnerable to unauthenticated blind SQL injection via the calendar shortcode parameter, allowing data exfiltration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Booking Calendar Contact Form <=1.0.23 is vulnerable to unauthenticated blind SQL injection via the calendar shortcode parameter, allowing data exfiltration.
Vulnerability
The Booking Calendar Contact Form plugin for WordPress version 1.0.23 and earlier contains an unauthenticated blind SQL injection vulnerability in the shortcode function. The plugin fails to sanitize the CP_BCCF_CALENDAR_ID parameter before using it in database queries. Specifically, the function dex_bccf_calendar_load2 sets this parameter directly from the id GET parameter without proper validation, and the value is later used unsanitized in dex_bccf_get_option [1][3]. This affects all installations of the plugin up to and including version 1.0.23.
Exploitation
An attacker does not need authentication to exploit this vulnerability. By sending a crafted HTTP GET request to any page containing the vulnerable shortcode, the attacker can inject arbitrary SQL commands via the id parameter. The injection is blind, requiring techniques such as time-based or boolean-based inference to extract data character by character. Public exploit code has been published making exploitation straightforward [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries against the WordPress database. This can lead to the extraction of sensitive information, including user credentials, password hashes, private posts, and configuration details. The CVSS v4 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N) indicates high confidentiality impact with low integrity impact and no availability impact [3].
Mitigation
No official patch or updated version has been released to address this vulnerability. The plugin may be abandoned or unmaintained. The only reliable mitigation is to deactivate and remove the plugin entirely from the WordPress installation, especially if the site is publicly accessible. Users should consider switching to a maintained alternative for calendar/contact form functionality.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0.23
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to sanitize the `id` GET parameter and the `calendar` shortcode attribute before using them in SQL queries, enabling blind SQL injection."
Attack vector
An unauthenticated attacker can send a crafted HTTP request to `wp-admin/admin-ajax.php` with `action=dex_bccf_calendar_ajaxevent`, `dex_bccf_calendar_load2=list`, and a malicious `id` parameter containing SQL injection payloads (e.g., `id=1 and sleep(10)`). Alternatively, an attacker with editor/author privileges can embed a shortcode like `[CP_BCCF_FORM calendar=-1 or sleep(10)#]` in a post, which triggers the same unsanitized SQL path. Both vectors allow blind SQL injection to extract arbitrary database contents.
Affected code
The vulnerability resides in the `dex_bccf_filter_content` shortcode function, which unsafely passes the `calendar` parameter into the constant `DEX_BCCF_CALENDAR_FIXED_ID`. That constant is later used unsanitized in a SQL query inside `dex_bccf_get_public_form()`. Additionally, the `dex_bccf_calendar_load2` function sets `CP_BCCF_CALENDAR_ID` from the `id` GET parameter without sanitization, and `dex_bccf_get_option` uses it in database queries.
What the fix does
The advisory states that the vendor released fixed plugin version 1.0.24 on 2016-02-08, but the patch diff is not included in the bundle. The fix presumably sanitizes or parameterizes the `id` and `calendar` parameters before they are used in SQL queries, preventing injection of arbitrary SQL commands. Without the patch, the root cause is the lack of input validation on values assigned to `CP_BCCF_CALENDAR_ID` and `DEX_BCCF_CALENDAR_FIXED_ID`.
Preconditions
- configThe WordPress instance must have the Booking Calendar Contact Form plugin version ≤1.0.23 installed and activated.
- authNo authentication is required for the admin-ajax.php vector; the shortcode vector requires editor/author-level access.
- networkThe attacker must be able to send HTTP requests to the WordPress site (network reachable).
- inputThe attacker supplies a malicious `id` GET parameter or a `calendar` shortcode attribute containing SQL injection syntax.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.