Description
WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers.
Published: 2026-06-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Booking Calendar Contact Form 1.0.23 contains a stored cross‑site scripting flaw that also enables privilege escalation. An authenticated user with subscriber privileges can inject malicious JavaScript through fields such as price, name, calendar_language, and email_confirmation_to_user without any input validation. The injected script executes in any Administrator’s browser when they view the affected page, allowing credential theft, site defacement or other client‑side attacks.

Affected Systems

The vulnerability affects sites running the dwbooster Booking Calendar Contact Form plugin version 1.0.23.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, while the EPSS score is < 1% indicating a very low exploitation probability and the flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated subscriber with access to the plugin’s administrative pages, and the attacker must target the admin‑ajax.php or admin.php endpoints. Once the necessary conditions are met, injection is straightforward and any Administrator who visits the page can be compromised.

Generated by OpenCVE AI on June 18, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Booking Calendar Contact Form plugin to the latest version once an official patch becomes available.
  • Restrict or revoke subscriber‑level permissions for modifying Booking Calendar options so that only administrators can alter settings.
  • Implement strict input validation or sanitization for the vulnerable parameters (price, name, calendar_language, email_confirmation_to_user) and consider disabling the admin‑ajax.php and admin.php endpoints for non‑administrator users.

Generated by OpenCVE AI on June 18, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Dwbooster
Dwbooster booking Calendar Contact Form
Wordpress
Wordpress wordpress
Vendors & Products Dwbooster
Dwbooster booking Calendar Contact Form
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers.
Title WordPress Booking Calendar Contact Form 1.0.23 Privilege Escalation Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Dwbooster Booking Calendar Contact Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T16:01:33.068Z

Reserved: 2026-06-14T18:28:28.113Z

Link: CVE-2016-20070

cve-icon Vulnrichment

Updated: 2026-06-15T16:01:26.535Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:30.090

Modified: 2026-06-15T20:50:47.973

Link: CVE-2016-20070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:59Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')