CVE-2016-20070 is a medium-severity vulnerability (CVSS Score: 5.1) affecting WordPress Booking Calendar Contact Form version 1.0.23. The vulnerability allows authenticated users to escalate privileges and inject malicious scripts due to insufficient verification of user privileges and inadequate sanitization of input parameters. Specifically, attackers with subscriber-level accounts can inject XSS payloa [truncated]
CVE-2016-20068 is a high-severity SQL injection vulnerability in WordPress Booking Calendar Contact Form version 1.0.23. The vulnerability allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint with the action parameter set to 'dex_bccf_calendar_ajaxevent' and supply crafted SQL commands in [truncated]
CVE-2016-20067 is a cross-site request forgery vulnerability in WordPress CP Polls 1.0.8. This vulnerability allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in. The CVSS score for this vulnerability is 5.3, which is considered MEDIUM severity.
CVE-2016-20066 is a persistent cross-site scripting (XSS) vulnerability in WordPress CP Polls 1.0.8. The vulnerability allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary JavaScript in the browsers of users viewing the affected content. The CVSS sco [truncated]
