Search Results (11 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-20084 3 Codepeople, Dwbooster, Wordpress 3 Booking Calendar Contact Form, Booking Calendar Contact, Wordpress 2026-07-15 7.2 High
WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScript into the 'ict' and 'ics' options or the calendar 'name' parameter via GET requests to execute arbitrary scripts when the calendar is displayed or accessed in the administration interface.
CVE-2016-20070 3 Codepeople, Dwbooster, Wordpress 3 Booking Calendar Contact Form, Booking Calendar Contact Form, Wordpress 2026-07-15 6.4 Medium
WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers.
CVE-2016-20069 3 Codepeople, Dwbooster, Wordpress 3 Booking Calendar Contact Form, Booking Calendar Contact Form, Wordpress 2026-07-15 8.2 High
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.
CVE-2016-20068 3 Codepeople, Dwbooster, Wordpress 3 Booking Calendar Contact Form, Booking Calendar Contact Form, Wordpress 2026-07-15 8.2 High
WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information.
CVE-2023-25037 2 Codepeople, Wordpress 2 Booking Calendar Contact Form, Wordpress 2026-04-28 4.3 Medium
Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34.
CVE-2026-6810 2 Codepeople, Wordpress 2 Booking Calendar Contact Form, Wordpress 2026-04-28 5.3 Medium
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.
CVE-2025-48231 2 Codepeople, Wordpress 2 Booking Calendar Contact Form, Wordpress 2026-04-23 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.58.
CVE-2025-24723 2 Codepeople, Wordpress 2 Booking Calendar Contact Form, Wordpress 2026-04-23 5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.55.
CVE-2025-13318 2 Codepeople, Wordpress 2 Booking Calendar Contact Form, Wordpress 2026-04-22 5.3 Medium
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.
CVE-2016-10909 1 Codepeople 1 Booking Calendar Contact Form 2024-11-21 N/A
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.
CVE-2016-10908 1 Codepeople 1 Booking Calendar Contact Form 2024-11-21 N/A
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.