Description
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A WordPress plugin called Booking Calendar Contact Form (version 1.0.23) contains an unauthenticated blind SQL injection flaw in its shortcode handler. The calendar parameter is not sanitized before being incorporated into database queries, allowing attackers to inject SQL statements. This vulnerability corresponds to CWE‑89, permitting an attacker to execute arbitrary SQL commands and exfiltrate sensitive database information.

Affected Systems

The affected product is the dwbooster Booking Calendar Contact Form plugin for WordPress, specifically version 1.0.23. No other versions are listed as vulnerable in the available data.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity. The EPSS score is 0.0024, indicating a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a URL that includes an unsanitized calendar parameter, exploiting the plugin’s blind SQL injection to retrieve database contents. The lack of authentication requirements makes the attack surface wide, and the high CVSS score reflects the potential for significant data compromise.

Generated by OpenCVE AI on June 18, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Booking Calendar Contact Form plugin to the latest version that sanitizes calendar parameters
  • If an update is unavailable, remove or disable the plugin entirely to eliminate the vulnerable code
  • Deploy a web application firewall or URL filtering rules to block suspicious SQL injection attempts against the calendar shortcode parameter

Generated by OpenCVE AI on June 18, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Dwbooster
Dwbooster booking Calendar Contact Form
Wordpress
Wordpress wordpress
Vendors & Products Dwbooster
Dwbooster booking Calendar Contact Form
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.
Title WordPress Booking Calendar Contact Form 1.0.23 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Dwbooster Booking Calendar Contact Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T19:24:44.517Z

Reserved: 2026-06-14T18:27:45.187Z

Link: CVE-2016-20069

cve-icon Vulnrichment

Updated: 2026-06-15T15:34:11.996Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:29.960

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:01Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')