PatchSiren cyber security CVE debrief
CVE-2016-20068 dwbooster CVE debrief
CVE-2016-20068 is a high-severity SQL injection vulnerability in WordPress Booking Calendar Contact Form version 1.0.23. The vulnerability allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in the 'id' parameter to extract sensitive database information.
- Vendor
- dwbooster
- Product
- Booking Calendar Contact Form
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WordPress Booking Calendar Contact Form version 1.0.23 should apply patches or mitigations to prevent exploitation.
Technical summary
The vulnerability has a CVSS score of 8.8 and is classified as HIGH severity. It is related to CWE-89, which is a SQL injection vulnerability.
Defensive priority
high
Recommended defensive actions
- Apply patches or updates to WordPress Booking Calendar Contact Form to prevent exploitation.
- Restrict access to the admin-ajax.php endpoint to only trusted users.
- Monitor for suspicious activity on the admin-ajax.php endpoint.
Evidence notes
The vendor of the affected product is likely Dwbooster, based on the provided evidence.
Official resources
CVE-2016-20068 was published on 2026-06-15T14:16:29.817Z and last modified on 2026-06-15T14:16:29.817Z.