PatchSiren cyber security CVE debrief
CVE-2016-20070 dwbooster CVE debrief
CVE-2016-20070 is a medium-severity vulnerability (CVSS Score: 5.1) affecting WordPress Booking Calendar Contact Form version 1.0.23. The vulnerability allows authenticated users to escalate privileges and inject malicious scripts due to insufficient verification of user privileges and inadequate sanitization of input parameters. Specifically, attackers with subscriber-level accounts can inject XSS payloads through parameters such as price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints. This enables the execution of arbitrary JavaScript in administrator browsers.
- Vendor
- dwbooster
- Product
- Booking Calendar Contact Form
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of WordPress Booking Calendar Contact Form version 1.0.23 should be aware of this vulnerability. As an authenticated user with a subscriber-level account can exploit this vulnerability, immediate attention is required to prevent potential attacks.
Technical summary
The vulnerability exists due to inadequate validation and sanitization of user input in the WordPress Booking Calendar Contact Form plugin. This allows authenticated users to inject malicious scripts and escalate privileges.
Defensive priority
High
Recommended defensive actions
- Update WordPress Booking Calendar Contact Form to a version that fixes the vulnerability.
- Restrict access to the admin-ajax.php and admin.php endpoints.
- Implement additional security measures to monitor and prevent suspicious activity.
Evidence notes
The CVE record and details were obtained from official sources, including [cve-org](https://www.cve.org/CVERecord?id=CVE-2016-20070) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2016-20070). Additional information was gathered from [ref-4](http://wordpress.dwbooster.com/), [ref-5](https://www.exploit-db.com/exploits/39423), and [ref-6](https://www.vulncheck.com/advisories/wordpress-booking-calendar-contact-form-privilege-escalation-stored-xss).
Official resources
CVE-2016-20070 was published on 2026-06-15T14:16:30.090Z and last modified on 2026-06-15T14:16:30.090Z.