CVE-2016-20069

HIGH

WordPress Booking Calendar Contact Form 1.0.23 SQL Injection

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20069. PoCs published by i0akiN SEC-LABORATORY.

AI-analyzed exploit summary The exploit demonstrates an unauthenticated blind SQL injection vulnerability in WordPress Booking Calendar Contact Form plugin <=v1.0.23. It includes technical details, vulnerable functions, and proof-of-concept URLs to trigger the SQLi via the 'id' parameter.

Description

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.

Exploits (1)

exploitdb WORKING POC

by i0akiN SEC-LABORATORY · textwebappsphp

https://www.exploit-db.com/exploits/39423

View Code ZIP pw:eip

The exploit demonstrates an unauthenticated blind SQL injection vulnerability in WordPress Booking Calendar Contact Form plugin <=v1.0.23. It includes technical details, vulnerable functions, and proof-of-concept URLs to trigger the SQLi via the 'id' parameter.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Booking Calendar Contact Form <=v1.0.23

No auth needed

Prerequisites: WordPress installation with vulnerable plugin

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-39423

https://www.exploit-db.com/exploits/39423

Product product

Official Product Homepage

http://wordpress.dwbooster.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Booking Calendar Contact Form 1.0.23 SQL Injection

https://www.vulncheck.com/advisories/wordpress-booking-calendar-contact-form-sql-injection-2

Scores

CVSS v3 8.2

EPSS 0.0024

EPSS Percentile 14.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

dwbooster/Booking Calendar Contact Form < 1.0.23

Published Jun 15, 2026

Tracked Since Jun 15, 2026