CVE-2016-20068

HIGH

WordPress Booking Calendar Contact Form 1.0.23 SQL Injection

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20068. PoCs published by i0akiN SEC-LABORATORY.

AI-analyzed exploit summary The exploit demonstrates an unauthenticated blind SQL injection vulnerability in WordPress Booking Calendar Contact Form plugin <=v1.0.23. It includes technical details, vulnerable code paths, and proof-of-concept URLs to trigger the SQLi via the 'id' parameter.

Description

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information.

Exploits (1)

exploitdb WORKING POC

by i0akiN SEC-LABORATORY · textwebappsphp

https://www.exploit-db.com/exploits/39423

View Code ZIP pw:eip

The exploit demonstrates an unauthenticated blind SQL injection vulnerability in WordPress Booking Calendar Contact Form plugin <=v1.0.23. It includes technical details, vulnerable code paths, and proof-of-concept URLs to trigger the SQLi via the 'id' parameter.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WordPress Booking Calendar Contact Form <=v1.0.23

No auth needed

Prerequisites: WordPress installation with vulnerable plugin

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-39423

https://www.exploit-db.com/exploits/39423

Product product

Official Product Homepage

http://wordpress.dwbooster.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Booking Calendar Contact Form 1.0.23 SQL Injection

https://www.vulncheck.com/advisories/wordpress-booking-calendar-contact-form-sql-injection

Scores

CVSS v3 8.2

EPSS 0.0030

EPSS Percentile 21.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

dwbooster/Booking Calendar Contact Form < 1.0.23

Published Jun 15, 2026

Tracked Since Jun 15, 2026