CVE-2016-20084

HIGH

WordPress appointment-booking-calendar 1.1.24 Privilege Escalation XSS

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20084. PoCs published by i0akiN SEC-LABORATORY.

AI-analyzed exploit summary The exploit demonstrates a privilege escalation and persistent XSS vulnerability in the WordPress appointment-booking-calendar plugin. It includes functional PoC code that crafts malicious GET requests to update calendar settings and inject XSS payloads.

Description

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScript into the 'ict' and 'ics' options or the calendar 'name' parameter via GET requests to execute arbitrary scripts when the calendar is displayed or accessed in the administration interface.

Exploits (1)

exploitdb WORKING POC

by i0akiN SEC-LABORATORY · textwebappsphp

https://www.exploit-db.com/exploits/39341

View Code ZIP pw:eip

The exploit demonstrates a privilege escalation and persistent XSS vulnerability in the WordPress appointment-booking-calendar plugin. It includes functional PoC code that crafts malicious GET requests to update calendar settings and inject XSS payloads.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress appointment-booking-calendar <=1.1.24

No auth needed

Prerequisites: Access to the target WordPress admin interface

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (3)

Core 3

Core References

Product product

Product Reference

http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form

Exploit exploit

ExploitDB-39341

https://www.exploit-db.com/exploits/39341

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress appointment-booking-calendar 1.1.24 Privilege Escalation XSS

https://www.vulncheck.com/advisories/wordpress-appointment-booking-calendar-privilege-escalation-xss

Scores

CVSS v3 7.2

EPSS 0.0024

EPSS Percentile 15.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

dwbooster/Booking Calendar Contact < 1.1.24

Published Jun 15, 2026

Tracked Since Jun 15, 2026