CVE-2016-20069 HIGH

CVE-2016-20069: WordPress Booking Calendar Contact Form 1.0.23 SQL Injection

Vendor Dwbooster
Product Booking Calendar Contact Form
Weakness CWE-89 · SQLi
Published June 15, 2026
Last update June 15, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.

Explanation of Vulnerability in Simple Terms

02Summary

Booking Calendar Contact Form versions up to 1.0.23 contain a SQL injection vulnerability in form input handling. An attacker can craft malicious input to execute arbitrary SQL queries against the site's database without authentication. This allows reading, modifying, or deleting sensitive data including user information and booking records.

What an attacker can do

03Attacker Capabilities

Execute SQL commands to read, modify, or delete database records without logging in.

Potential impact on your site

04Site Impact

Attackers can steal user data, booking information, and credentials, or corrupt the database.

Conditions required to exploit

05Prerequisites

Network access to the form; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 15, 2026 CVE published
June 15, 2026 Record updated

Related vulnerabilities

08Related CVE