CVE-2026-6810 - Vulnerability Details

- Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover

Description

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.

Published: 2026-04-24

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Booking Calendar Contact Form plugin for WordPress allows a user who has logged in with Subscriber-level permissions or higher to specify a calendar identifier in the dex_bccf_admin_int_calendar_list.inc.php file without proper validation. This insecure direct object reference flaw enables an attacker to view and potentially modify another user’s calendar data, resulting in a moderate breach of confidentiality and integrity.

Affected Systems

The vulnerability affects all releases of the Booking Calendar Contact Form plugin up to and including version 1.2.63. Any WordPress site hosting this plugin at or below that version is at risk. Operators should confirm the installed plugin version via the WordPress admin interface and plan an upgrade.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. An EPSS score of less than 1% suggests that active exploitation is unlikely currently, and the vulnerability is not cataloged in the CISA Known Exploited Vulnerabilities list, further reducing urgency. Exploitation requires authenticated access as a Subscriber or higher; the attacker can then supply a target calendar ID and gain unauthorized access to that calendar’s data. The combination of internal authentication and lack of ownership validation makes this attack straightforward for anyone with legitimate site credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

codepeople

Booking Calendar Contact Form

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2.63

No data.

Vendor Product Confidence Versions

Codepeople

Booking Calendar Contact Form

100%

Version	Status	Scheme	Platform
`[0,1.2.63]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Booking Calendar Contact Form plugin to a version newer than 1.2.63.
Limit the use of Subscriber or higher user roles to trusted individuals and review role capabilities to reduce unnecessary privileges.
If an update cannot be performed immediately, block direct access to the dex_bccf_admin_int_calendar_list.inc.php script by applying web‑server rules or using a security plugin that restricts file access based on user roles.

Generated by OpenCVE AI on April 28, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf.php#L608
https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L38
https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L71
https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L608
https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L38
https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L71
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3512197%40booking-calendar-contact-form&new=3512197%40booking-calendar-contact-form&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a3977d10-239d-4b83-ab0c-ad165485498d?source=cve

History

Tue, 28 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Codepeople Codepeople booking Calendar Contact Form Wordpress Wordpress wordpress
Vendors & Products		Codepeople Codepeople booking Calendar Contact Form Wordpress Wordpress wordpress

Fri, 24 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.
Title		Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf.php#L608 https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L38 https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L71 https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L608 https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L38 https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L71 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3512197%40booking-calendar-contact-form&new=3512197%40booking-calendar-contact-form&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/a3977d10-239d-4b83-ab0c-ad165485498d?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Codepeople Booking Calendar Contact Form

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-24T05:29:38.488Z

Updated: 2026-04-24T13:55:26.615Z

Reserved: 2026-04-21T17:34:46.594Z

Link: CVE-2026-6810

Vulnrichment

Updated: 2026-04-24T13:55:03.193Z

NVD

Status : Deferred

Published: 2026-04-24T06:16:08.790

Modified: 2026-04-24T14:38:26.740

Link: CVE-2026-6810

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object