CVE-2016-20069
Received Received - Intake
Unauthenticated Blind SQL Injection in WordPress Booking Calendar Contact Form

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulnCheck

Description
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2016-20069
EUVD
EUVD-2016-10881
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpbookingcalendar booking_calendar 1.0.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in WordPress Booking Calendar Contact Form version 1.0.23. It is an unauthenticated blind SQL injection flaw in the shortcode function, where the calendar parameter is not properly sanitized before being used in database queries.

This allows attackers to inject arbitrary SQL commands through the calendar shortcode parameter, enabling them to execute unauthorized SQL queries and potentially extract sensitive information from the database.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can exploit the flaw to execute arbitrary SQL queries, which may lead to data leakage or compromise of confidential data stored in the database.

Since the vulnerability is unauthenticated and remotely exploitable, it poses a high risk of data breach without requiring any user credentials.

Compliance Impact

The vulnerability allows attackers to perform unauthenticated blind SQL injection attacks, enabling them to extract sensitive database information. This exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the safeguarding of personal and sensitive information against unauthorized access.

Because the plugin fails to properly sanitize input and verify user permissions, it increases the risk of unauthorized data disclosure and manipulation, which can violate the confidentiality and integrity requirements mandated by these standards.

Detection Guidance

This vulnerability can be detected by monitoring for crafted requests targeting the 'admin-ajax.php' file with malicious parameters, especially the 'id' parameter in the 'dex_bccf_calendar_load2' function or malicious shortcodes exploiting the 'calendar' parameter in the shortcode function.

One way to detect exploitation attempts is to look for unusual HTTP POST or GET requests to 'admin-ajax.php' containing suspicious SQL injection payloads in the 'id' or 'calendar' parameters.

Example commands to detect such activity could include using web server logs or network traffic analysis tools to search for these patterns.

  • Using grep on web server logs to find suspicious requests: grep -i 'admin-ajax.php' /var/log/apache2/access.log | grep -E 'id=|calendar='
  • Using network monitoring tools like tcpdump or Wireshark to filter HTTP requests to 'admin-ajax.php' and inspect parameters for SQL injection patterns.
  • Checking WordPress posts or content for suspicious shortcodes that include unexpected or malformed 'calendar' parameters.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress Booking Calendar Contact Form plugin to version 1.0.24 or later, as this version contains patches addressing the SQL injection and other related vulnerabilities.

Additionally, restrict access to 'admin-ajax.php' where possible, monitor logs for suspicious activity, and review user permissions to prevent privilege escalation.

Avoid using untrusted shortcodes or inputs that could exploit the vulnerability until the plugin is updated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart