CVE-2016-20070 in Booking Calendar Contact Form
Summary
by MITRE • 06/15/2026
WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/15/2026
This vulnerability affects WordPress Booking Calendar Contact Form version 1.0.23 and represents a critical security flaw that combines privilege escalation with stored cross-site scripting capabilities. The vulnerability stems from inadequate input validation and insufficient user privilege verification mechanisms within the plugin's administrative interfaces. Attackers with subscriber-level accounts can exploit this weakness to elevate their privileges and execute malicious code, demonstrating a significant failure in access control implementation. The flaw specifically manifests through the admin-ajax.php and admin.php endpoints where user-submitted data is processed without proper sanitization or authorization checks. The affected parameters including price, name, calendar_language, and email_confirmation_to_user create multiple attack vectors that allow persistent XSS payloads to be stored within the application's database. This stored XSS vulnerability enables attackers to execute arbitrary JavaScript code in the browsers of administrators who view affected data, creating a persistent threat that can compromise entire administrative sessions.
The technical implementation of this vulnerability aligns with CWE-79 (Cross-site Scripting) and CWE-285 (Improper Authorization) classifications, representing a dangerous combination of input sanitization failures and access control bypass mechanisms. The attack vector operates through the WordPress AJAX interface which is commonly used for administrative operations and typically requires proper authentication and authorization. However, this plugin fails to validate that users possess appropriate privileges before processing modifications to plugin options, allowing lower-privileged users to manipulate administrative settings. The stored nature of the XSS vulnerability means that malicious payloads persist in the database and execute whenever administrators access the affected pages, creating a continuous threat that can compromise multiple administrator sessions over time. This vulnerability directly violates the principle of least privilege and demonstrates poor input handling practices that are commonly addressed in security frameworks like OWASP Top Ten.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it creates a persistent backdoor for attackers to maintain access to compromised WordPress installations. Administrators who view booking data or calendar information become unwitting victims of the stored XSS attacks, potentially leading to complete administrative compromise of the WordPress site. The privilege escalation aspect means that attackers can modify plugin configurations, potentially disabling security features or redirecting user data to malicious endpoints. This vulnerability can be exploited to harvest administrator cookies, redirect users to phishing sites, or even install additional malware through the compromised administrative sessions. The attack surface is particularly concerning given that WordPress plugins often have broad access to site data and functionality, making this vulnerability a significant threat to overall site security. The persistence of stored XSS payloads makes this vulnerability particularly dangerous as it can remain active for extended periods without detection, potentially allowing attackers to conduct long-term reconnaissance and data exfiltration activities.
Mitigation strategies should focus on immediate patching of the vulnerable plugin to version 1.0.24 or later, which addresses the privilege escalation and XSS vulnerabilities through proper input sanitization and authorization checks. Administrators should implement additional security measures including regular security audits of installed plugins, monitoring for unauthorized administrative changes, and implementing content security policies to reduce the impact of potential XSS exploitation. The WordPress security team recommends that all users immediately update to the latest plugin version and review existing user permissions to minimize the attack surface. Network-level monitoring should be implemented to detect unusual administrative activities, and multi-factor authentication should be enabled for all administrative accounts to provide additional protection layers. Organizations should also consider implementing web application firewalls to detect and block malicious payloads targeting these specific endpoints, while maintaining regular security assessments to identify similar vulnerabilities in other plugins or themes. The vulnerability highlights the importance of proper security testing during plugin development and the necessity of implementing robust input validation and access control mechanisms in all web applications.