Impact
A WordPress plugin called Booking Calendar Contact Form (version 1.0.23) contains an unauthenticated blind SQL injection flaw in its shortcode handler. The calendar parameter is not sanitized before being incorporated into database queries, allowing attackers to inject SQL statements. This vulnerability corresponds to CWE‑89, permitting an attacker to execute arbitrary SQL commands and exfiltrate sensitive database information.
Affected Systems
The affected product is the dwbooster Booking Calendar Contact Form plugin for WordPress, specifically version 1.0.23. No other versions are listed as vulnerable in the available data.
Risk and Exploitability
The CVSS score of 8.8 classifies this flaw as high severity. The EPSS score is 0.0024, indicating a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a URL that includes an unsanitized calendar parameter, exploiting the plugin’s blind SQL injection to retrieve database contents. The lack of authentication requirements makes the attack surface wide, and the high CVSS score reflects the potential for significant data compromise.
OpenCVE Enrichment