CVE-2016-20070

MEDIUM 6.4

WordPress Booking Calendar Contact Form 1.0.23 Privilege Escalation Stored XSS

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

0th

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers.

CWE	CWE-79
Vendor	dwbooster
Product	booking calendar contact form
Published	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for dwbooster booking calendar contact form

Be the first to know when new medium vulnerabilities affecting dwbooster booking calendar contact form are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

dwbooster / Booking Calendar Contact Form

0 ≤ 1.0.23

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/39423 wordpress.dwbooster.com: http://wordpress.dwbooster.com/ vulncheck.com: https://www.vulncheck.com/advisories/wordpress-booking-calendar-contact-form-privilege-escalation-stored-xss

Credits

Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]