CVE-2016-10909

The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.