CVE-2016-20070

MEDIUM

WordPress Booking Calendar Contact Form 1.0.23 Privilege Escalation Stored XSS

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20070. PoCs published by i0akiN SEC-LABORATORY.

AI-analyzed exploit summary The exploit demonstrates unauthenticated blind SQL injection and stored XSS vulnerabilities in WordPress Booking Calendar Contact Form plugin <=v1.0.23. It includes detailed technical analysis, vulnerable function paths, and proof-of-concept payloads for SQLi and XSS attacks.

Description

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers.

Exploits (1)

exploitdb WORKING POC

by i0akiN SEC-LABORATORY · textwebappsphp

https://www.exploit-db.com/exploits/39423

View Code ZIP pw:eip

The exploit demonstrates unauthenticated blind SQL injection and stored XSS vulnerabilities in WordPress Booking Calendar Contact Form plugin <=v1.0.23. It includes detailed technical analysis, vulnerable function paths, and proof-of-concept payloads for SQLi and XSS attacks.

Classification

Working Poc 100%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Booking Calendar Contact Form <=v1.0.23

No auth needed

Prerequisites: WordPress installation with vulnerable plugin · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-39423

https://www.exploit-db.com/exploits/39423

Product product

Official Product Homepage

http://wordpress.dwbooster.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Booking Calendar Contact Form 1.0.23 Privilege Escalation Stored XSS

https://www.vulncheck.com/advisories/wordpress-booking-calendar-contact-form-privilege-escalation-stored-xss

Scores

CVSS v3 6.4

EPSS 0.0023

EPSS Percentile 13.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

dwbooster/Booking Calendar Contact Form < 1.0.23

Published Jun 15, 2026

Tracked Since Jun 15, 2026