CVE-2016-20069
WordPress Booking Calendar Contact Form 1.0.23 SQL Injection
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 8.8EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
15 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
dwbooster · Booking Calendar Contact Formpublic PoCs found — 1
cve_referencewww.exploit-db.com/exploits/39423unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.