CVE-2016-20070

WordPress Booking Calendar Contact Form 1.0.23 Privilege Escalation Stored XSS

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected products

dwbooster · Booking Calendar Contact Form

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/39423unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.exploit-db.com/exploits/39423 https://www.vulncheck.com/advisories/wordpress-booking-calendar-contact-form-privilege-escalation-stored-xss http://wordpress.dwbooster.com/