Booking Calendar Contact Form
by WordPress
Source repositories
CVEs (11)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-20069 | Hig | 0.53 | 8.2 | 0.00 | Jun 15, 2026 | WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar… | ||
| CVE-2016-20068 | Hig | 0.53 | 8.2 | 0.00 | Jun 15, 2026 | WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the… | ||
| CVE-2016-20070 | Med | 0.42 | 6.4 | 0.00 | Jun 15, 2026 | WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters.… | ||
| CVE-2025-48231 | Med | 0.42 | 6.5 | 0.00 | Jul 4, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.58. | ||
| CVE-2025-24723 | Med | 0.38 | 5.9 | 0.00 | Jan 24, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.55. | ||
| CVE-2026-6810 | Med | 0.34 | 5.3 | 0.00 | Apr 24, 2026 | The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible… | ||
| CVE-2025-13318 | Med | 0.34 | 5.3 | 0.00 | Nov 22, 2025 | The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it… | ||
| CVE-2023-25037 | Med | 0.28 | 4.3 | 0.01 | Dec 9, 2024 | Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34. | ||
| CVE-2023-36384 | 0.00 | — | 0.00 | Jul 18, 2023 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions. | |||
| CVE-2016-10909 | 0.00 | — | 0.02 | Aug 21, 2019 | The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection. | |||
| CVE-2016-10908 | 0.00 | — | 0.01 | Aug 21, 2019 | The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS. |
- risk 0.53cvss 8.2epss 0.00
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar…
- risk 0.53cvss 8.2epss 0.00
WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the…
- risk 0.42cvss 6.4epss 0.00
WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters.…
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.58.
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.55.
- risk 0.34cvss 5.3epss 0.00
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible…
- risk 0.34cvss 5.3epss 0.00
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it…
- risk 0.28cvss 4.3epss 0.01
Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34.
- CVE-2023-36384Jul 18, 2023risk 0.00cvss —epss 0.00
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions.
- CVE-2016-10909Aug 21, 2019risk 0.00cvss —epss 0.02
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.
- CVE-2016-10908Aug 21, 2019risk 0.00cvss —epss 0.01
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.