CVE-2016-20070
Description
WordPress Booking Calendar Contact Form 1.0.23 lacks privilege checks and input sanitization, allowing subscribers to escalate privileges and inject stored XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Booking Calendar Contact Form 1.0.23 lacks privilege checks and input sanitization, allowing subscribers to escalate privileges and inject stored XSS.
Vulnerability
The WordPress Booking Calendar Contact Form plugin version 1.0.23 (and possibly earlier) contains privilege escalation and stored cross-site scripting vulnerabilities. The plugin fails to verify user capabilities before allowing modifications to plugin options, and it does not sanitize input parameters such as price, name, calendar_language, and email_confirmation_to_user. These parameters are processed via the admin-ajax.php and admin.php endpoints, making the code path reachable by any authenticated user, including subscribers [1][3].
Exploitation
An attacker with a subscriber-level account can exploit the missing privilege checks by sending crafted POST requests to the WordPress admin endpoints. The attacker injects malicious JavaScript payloads into unsuspecting parameters like price or name. No special network position is required beyond normal authenticated access; user interaction is not required for the initial injection, but the stored script executes when an administrator views the affected pages [3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of an administrator. This can lead to privilege escalation, as the attacker can perform actions like creating new admin users, modifying site content, or stealing session cookies. The confidentiality, integrity, and availability of the WordPress site are compromised, with the attacker gaining the ability to fully control the site from an administrator's session [3].
Mitigation
As of the available references, a fixed version has not been disclosed. Users of version 1.0.23 should consider upgrading to any later version provided by the vendor (http://wordpress.dwbooster.com/) [2][3]. No workaround is mentioned; until a patch is applied, the plugin remains vulnerable to these attacks.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.0.23+ 1 more
- (no CPE)range: = 1.0.23
- (no CPE)range: <=1.0.23
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization checks and insufficient input sanitization in plugin admin endpoints allow low-privileged users to store XSS payloads and modify plugin options."
Attack vector
An authenticated attacker with a low-privilege role (e.g., subscriber) can send crafted HTTP requests to `admin-ajax.php` or `admin.php` endpoints without proper capability checks. By injecting XSS payloads into unsanitized parameters such as `price`, `name`, `calendar_language`, or `email_confirmation_to_user`, the attacker stores malicious JavaScript in the plugin's configuration. When an administrator views the affected settings page, the payload executes in the administrator's browser, enabling privilege escalation actions like modifying plugin options or redirecting users to phishing pages [ref_id=1].
Affected code
The plugin fails to verify user privileges and sanitize input in multiple admin-ajax.php and admin.php endpoints. Functions such as `dex_bccf_check_posted_data` and the options update handler do not check capabilities before processing requests, and parameters like `price`, `name`, `calendar_language`, and `email_confirmation_to_user` are not sanitized before storage [ref_id=1].
What the fix does
The advisory states that version 1.0.24 was released on 2016-02-08 to fix these issues, but the patch diff is not included in the bundle. The fix presumably adds proper capability checks (e.g., `current_user_can('manage_options')`) before allowing option updates and sanitizes or escapes user-supplied input before storing it in the database. Without the patch, an attacker can exploit the missing authorization and sanitization to inject arbitrary HTML and JavaScript.
Preconditions
- authAttacker must have an authenticated WordPress account (any role, including subscriber)
- configThe vulnerable plugin version must be 1.0.23 or earlier
- networkAttacker must be able to send HTTP requests to admin-ajax.php or admin.php endpoints
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.