What the vulnerability does
01Description
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.
Explanation of Vulnerability in Simple Terms
02Summary
Booking Calendar Contact Form versions up to 1.0.23 contain a SQL injection vulnerability in form input handling. An attacker can craft malicious input to execute arbitrary SQL queries against the site's database without authentication. This allows reading, modifying, or deleting sensitive data including user information and booking records.
What an attacker can do
03Attacker Capabilities
Execute SQL commands to read, modify, or delete database records without logging in.
Potential impact on your site
04Site Impact
Attackers can steal user data, booking information, and credentials, or corrupt the database.
Conditions required to exploit
05Prerequisites
Network access to the form; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 15, 2026
CVE published
June 15, 2026
Record updated