Description
WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a blind SQL injection that allows unauthenticated users to submit malicious SQL queries through the 'id' parameter on the admin-ajax.php endpoint. The injected code can be used to extract sensitive data from the database, potentially exposing user information and site configuration.

Affected Systems

WordPress plugin "Booking Calendar Contact Form" version 1.0.23, provided by dwbooster. The flaw exists only in this specific version of the plugin; newer releases are assumed to have the issue patched.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity rating. The EPSS score is not available, so the exploitation probability is unknown, and the vulnerability is not cataloged in CISA KEV. Attackers can exploit the flaw remotely by sending crafted HTTP requests to the public admin-ajax.php endpoint with the action set to 'dex_bccf_calendar_ajaxevent' and a malicious 'id' value. This requires no authentication and can be performed by anyone with network access to the WordPress site.

Generated by OpenCVE AI on June 16, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booking Calendar Contact Form plugin to the latest version that removes the SQL injection flaw.
  • If an upgrade cannot be performed immediately, block or restrict unauthenticated access to the admin-ajax.php endpoint with the action dex_bccf_calendar_ajaxevent via a firewall or WAF rule.
  • Create a backup of the database before applying any changes and verify the backup integrity to safeguard against potential data loss during remediation.

Generated by OpenCVE AI on June 16, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information.
Title WordPress Booking Calendar Contact Form 1.0.23 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T16:14:52.808Z

Reserved: 2026-06-14T18:27:09.580Z

Link: CVE-2016-20068

cve-icon Vulnrichment

Updated: 2026-06-15T16:14:26.664Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:29.817

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T02:00:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')