CVE-2016-20084 MEDIUM

CVE-2016-20084: WordPress appointment-booking-calendar 1.1.24 Privilege Escalation XSS

Vendor Dwbooster

Product Booking Calendar Contact

Weakness CWE-79 · XSS

Published June 15, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScript into the 'ict' and 'ics' options or the calendar 'name' parameter via GET requests to execute arbitrary scripts when the calendar is displayed or accessed in the administration interface.

Key dates

Disclosure timeline

June 15, 2026 CVE published

June 15, 2026 Record updated