Export limit exceeded: 361357 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (3 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-20069 | 2 Dwbooster, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2026-06-26 | 8.2 High |
| WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information. | ||||
| CVE-2016-20070 | 2 Dwbooster, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2026-06-26 | 6.4 Medium |
| WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers. | ||||
| CVE-2016-20068 | 2 Dwbooster, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2026-06-26 | 8.2 High |
| WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information. | ||||
Page 1 of 1.