CVE Catalog

CVE-2016-20070

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

The WordPress Booking Calendar Contact Form plugin version 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts.

Risk Assessment

Attackers with subscriber-level accounts can inject XSS payloads, leading to the execution of arbitrary JavaScript in administrator browsers, posing a serious security threat to the system.

Recommendation

It is recommended to update the plugin to the latest version and implement appropriate mechanisms for verifying privileges and sanitizing input parameters.

Original NVD description (English source)

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS