Impact
WordPress Booking Calendar Contact Form 1.0.23 contains a stored cross‑site scripting flaw that also enables privilege escalation. An authenticated user with subscriber privileges can inject malicious JavaScript through fields such as price, name, calendar_language, and email_confirmation_to_user without any input validation. The injected script executes in any Administrator’s browser when they view the affected page, allowing credential theft, site defacement or other client‑side attacks.
Affected Systems
The vulnerability affects sites running the dwbooster Booking Calendar Contact Form plugin version 1.0.23.
Risk and Exploitability
The CVSS score of 5.1 indicates a moderate severity, while the EPSS score is < 1% indicating a very low exploitation probability and the flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated subscriber with access to the plugin’s administrative pages, and the attacker must target the admin‑ajax.php or admin.php endpoints. Once the necessary conditions are met, injection is straightforward and any Administrator who visits the page can be compromised.
OpenCVE Enrichment