Search criteria
12 vulnerabilities found for Booking Calendar Contact Form by CodePeople
CVE-2026-6810 (GCVE-0-2026-6810)
Vulnerability from nvd – Published: 2026-04-24 05:29 – Updated: 2026-04-24 13:55
VLAI?
Title
Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover
Summary
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codepeople | Booking Calendar Contact Form |
Affected:
0 , ≤ 1.2.63
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T13:54:56.912135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T13:55:26.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booking Calendar Contact Form",
"vendor": "codepeople",
"versions": [
{
"lessThanOrEqual": "1.2.63",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user\u0027s calendars and view user data associated with the calendar."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T05:29:38.488Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3977d10-239d-4b83-ab0c-ad165485498d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L71"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L71"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L608"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf.php#L608"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3512197%40booking-calendar-contact-form\u0026new=3512197%40booking-calendar-contact-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T17:49:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-23T16:30:20.000Z",
"value": "Disclosed"
}
],
"title": "Booking Calendar Contact Form \u003c= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6810",
"datePublished": "2026-04-24T05:29:38.488Z",
"dateReserved": "2026-04-21T17:34:46.594Z",
"dateUpdated": "2026-04-24T13:55:26.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13318 (GCVE-0-2025-13318)
Vulnerability from nvd – Published: 2025-11-22 08:30 – Updated: 2026-04-08 17:04
VLAI?
Title
Booking Calendar Contact Form <= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dex_bccf_ipn' Parameter
Summary
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codepeople | Booking Calendar Contact Form |
Affected:
0 , ≤ 1.2.60
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13318",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T19:34:56.104102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T19:35:04.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booking Calendar Contact Form",
"vendor": "codepeople",
"versions": [
{
"lessThanOrEqual": "1.2.60",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the \u0027dex_bccf_ipn\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:04:13.473Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0ae2c-6b08-4b71-a728-c60722ec20c7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L1409"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3399906%40booking-calendar-contact-form\u0026new=3399906%40booking-calendar-contact-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-19T15:28:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-21T19:35:42.000Z",
"value": "Disclosed"
}
],
"title": "Booking Calendar Contact Form \u003c= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via \u0027dex_bccf_ipn\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13318",
"datePublished": "2025-11-22T08:30:29.623Z",
"dateReserved": "2025-11-17T15:18:42.968Z",
"dateUpdated": "2026-04-08T17:04:13.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48231 (GCVE-0-2025-48231)
Vulnerability from nvd – Published: 2025-07-04 11:18 – Updated: 2026-04-28 16:12
VLAI?
Title
WordPress Booking Calendar Contact Form plugin <= 1.2.58 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.58.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codepeople | Booking Calendar Contact Form |
Affected:
0 , ≤ 1.2.58
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48231",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T14:38:25.726179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:59:37.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "booking-calendar-contact-form",
"product": "Booking Calendar Contact Form",
"vendor": "codepeople",
"versions": [
{
"changes": [
{
"at": "1.2.59",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.58",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kmaron1n | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:34.203Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.\u003cp\u003eThis issue affects Booking Calendar Contact Form: from n/a through \u003c= 1.2.58.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through \u003c= 1.2.58."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:53.652Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/booking-calendar-contact-form/vulnerability/wordpress-booking-calendar-contact-form-1-2-58-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Booking Calendar Contact Form plugin \u003c= 1.2.58 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-48231",
"datePublished": "2025-07-04T11:18:02.980Z",
"dateReserved": "2025-05-19T14:12:49.258Z",
"dateUpdated": "2026-04-28T16:12:53.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24723 (GCVE-0-2025-24723)
Vulnerability from nvd – Published: 2025-01-24 17:25 – Updated: 2026-04-28 16:11
VLAI?
Title
WordPress Booking Calendar Contact Form Plugin <= 1.2.55 - Stored Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.55.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codepeople | Booking Calendar Contact Form |
Affected:
0 , ≤ 1.2.55
(custom)
|
Date Public ?
2026-04-01 16:34
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T17:51:48.325098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:01:17.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "booking-calendar-contact-form",
"product": "Booking Calendar Contact Form",
"vendor": "codepeople",
"versions": [
{
"changes": [
{
"at": "1.2.56",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.55",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguy\u1ec5n Kh\u00e1nh H\u00e0o | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:34:39.429Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.\u003cp\u003eThis issue affects Booking Calendar Contact Form: from n/a through \u003c= 1.2.55.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through \u003c= 1.2.55."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:32.983Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/booking-calendar-contact-form/vulnerability/wordpress-booking-calendar-contact-form-plugin-1-2-55-stored-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Booking Calendar Contact Form Plugin \u003c= 1.2.55 - Stored Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24723",
"datePublished": "2025-01-24T17:25:13.465Z",
"dateReserved": "2025-01-23T14:52:44.767Z",
"dateUpdated": "2026-04-28T16:11:32.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-25037 (GCVE-0-2023-25037)
Vulnerability from nvd – Published: 2024-12-09 11:31 – Updated: 2026-04-28 16:08
VLAI?
Title
WordPress Booking Calendar Contact Form plugin <= 1.2.34 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CodePeople | Booking Calendar Contact Form |
Affected:
n/a , ≤ 1.2.34
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T13:28:59.127383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T18:42:37.853Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "booking-calendar-contact-form",
"product": "Booking Calendar Contact Form",
"vendor": "CodePeople",
"versions": [
{
"changes": [
{
"at": "1.2.35",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.34",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Istv\u00e1n M\u00e1rton (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Booking Calendar Contact Form: from n/a through 1.2.34.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:06.761Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/booking-calendar-contact-form/vulnerability/wordpress-booking-calendar-contact-form-plugin-1-2-34-broken-access-control?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Booking Calendar Contact Form plugin to the latest available version (at least 1.2.35)."
}
],
"value": "Update the WordPress Booking Calendar Contact Form plugin to the latest available version (at least 1.2.35)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Booking Calendar Contact Form plugin \u003c= 1.2.34 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-25037",
"datePublished": "2024-12-09T11:31:37.517Z",
"dateReserved": "2023-02-02T09:58:49.594Z",
"dateUpdated": "2026-04-28T16:08:06.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-36384 (GCVE-0-2023-36384)
Vulnerability from nvd – Published: 2023-07-18 14:17 – Updated: 2026-04-28 16:08
VLAI?
Title
WordPress Booking Calendar Contact Form Plugin <= 1.2.40 is vulnerable to Cross Site Scripting (XSS)
Summary
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/boo… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CodePeople | Booking Calendar Contact Form |
Affected:
n/a , ≤ 1.2.40
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/booking-calendar-contact-form/wordpress-booking-calendar-contact-form-plugin-1-2-40-cross-site-scripting-xss?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T16:35:12.782830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T17:01:02.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "booking-calendar-contact-form",
"product": "Booking Calendar Contact Form",
"vendor": "CodePeople",
"versions": [
{
"changes": [
{
"at": "1.2.41",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.40",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "BOT (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a01.2.40 versions.\u003c/span\u003e"
}
],
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin \u003c=\u00a01.2.40 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:31.402Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/booking-calendar-contact-form/wordpress-booking-calendar-contact-form-plugin-1-2-40-cross-site-scripting-xss?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a01.2.41 or a higher version."
}
],
"value": "Update to\u00a01.2.41 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Booking Calendar Contact Form Plugin \u003c= 1.2.40 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-36384",
"datePublished": "2023-07-18T14:17:40.116Z",
"dateReserved": "2023-06-21T13:04:35.740Z",
"dateUpdated": "2026-04-28T16:08:31.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6810 (GCVE-0-2026-6810)
Vulnerability from cvelistv5 – Published: 2026-04-24 05:29 – Updated: 2026-04-24 13:55
VLAI?
Title
Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover
Summary
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codepeople | Booking Calendar Contact Form |
Affected:
0 , ≤ 1.2.63
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T13:54:56.912135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T13:55:26.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booking Calendar Contact Form",
"vendor": "codepeople",
"versions": [
{
"lessThanOrEqual": "1.2.63",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user\u0027s calendars and view user data associated with the calendar."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T05:29:38.488Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3977d10-239d-4b83-ab0c-ad165485498d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L71"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L71"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L608"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf.php#L608"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3512197%40booking-calendar-contact-form\u0026new=3512197%40booking-calendar-contact-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T17:49:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-23T16:30:20.000Z",
"value": "Disclosed"
}
],
"title": "Booking Calendar Contact Form \u003c= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6810",
"datePublished": "2026-04-24T05:29:38.488Z",
"dateReserved": "2026-04-21T17:34:46.594Z",
"dateUpdated": "2026-04-24T13:55:26.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13318 (GCVE-0-2025-13318)
Vulnerability from cvelistv5 – Published: 2025-11-22 08:30 – Updated: 2026-04-08 17:04
VLAI?
Title
Booking Calendar Contact Form <= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dex_bccf_ipn' Parameter
Summary
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codepeople | Booking Calendar Contact Form |
Affected:
0 , ≤ 1.2.60
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13318",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T19:34:56.104102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T19:35:04.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booking Calendar Contact Form",
"vendor": "codepeople",
"versions": [
{
"lessThanOrEqual": "1.2.60",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the \u0027dex_bccf_ipn\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:04:13.473Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0ae2c-6b08-4b71-a728-c60722ec20c7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L1409"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3399906%40booking-calendar-contact-form\u0026new=3399906%40booking-calendar-contact-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-19T15:28:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-21T19:35:42.000Z",
"value": "Disclosed"
}
],
"title": "Booking Calendar Contact Form \u003c= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via \u0027dex_bccf_ipn\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13318",
"datePublished": "2025-11-22T08:30:29.623Z",
"dateReserved": "2025-11-17T15:18:42.968Z",
"dateUpdated": "2026-04-08T17:04:13.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48231 (GCVE-0-2025-48231)
Vulnerability from cvelistv5 – Published: 2025-07-04 11:18 – Updated: 2026-04-28 16:12
VLAI?
Title
WordPress Booking Calendar Contact Form plugin <= 1.2.58 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.58.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codepeople | Booking Calendar Contact Form |
Affected:
0 , ≤ 1.2.58
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48231",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T14:38:25.726179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:59:37.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "booking-calendar-contact-form",
"product": "Booking Calendar Contact Form",
"vendor": "codepeople",
"versions": [
{
"changes": [
{
"at": "1.2.59",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.58",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kmaron1n | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:34.203Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.\u003cp\u003eThis issue affects Booking Calendar Contact Form: from n/a through \u003c= 1.2.58.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through \u003c= 1.2.58."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:53.652Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/booking-calendar-contact-form/vulnerability/wordpress-booking-calendar-contact-form-1-2-58-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Booking Calendar Contact Form plugin \u003c= 1.2.58 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-48231",
"datePublished": "2025-07-04T11:18:02.980Z",
"dateReserved": "2025-05-19T14:12:49.258Z",
"dateUpdated": "2026-04-28T16:12:53.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24723 (GCVE-0-2025-24723)
Vulnerability from cvelistv5 – Published: 2025-01-24 17:25 – Updated: 2026-04-28 16:11
VLAI?
Title
WordPress Booking Calendar Contact Form Plugin <= 1.2.55 - Stored Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.55.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codepeople | Booking Calendar Contact Form |
Affected:
0 , ≤ 1.2.55
(custom)
|
Date Public ?
2026-04-01 16:34
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T17:51:48.325098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:01:17.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "booking-calendar-contact-form",
"product": "Booking Calendar Contact Form",
"vendor": "codepeople",
"versions": [
{
"changes": [
{
"at": "1.2.56",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.55",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguy\u1ec5n Kh\u00e1nh H\u00e0o | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:34:39.429Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.\u003cp\u003eThis issue affects Booking Calendar Contact Form: from n/a through \u003c= 1.2.55.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through \u003c= 1.2.55."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:32.983Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/booking-calendar-contact-form/vulnerability/wordpress-booking-calendar-contact-form-plugin-1-2-55-stored-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Booking Calendar Contact Form Plugin \u003c= 1.2.55 - Stored Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24723",
"datePublished": "2025-01-24T17:25:13.465Z",
"dateReserved": "2025-01-23T14:52:44.767Z",
"dateUpdated": "2026-04-28T16:11:32.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-25037 (GCVE-0-2023-25037)
Vulnerability from cvelistv5 – Published: 2024-12-09 11:31 – Updated: 2026-04-28 16:08
VLAI?
Title
WordPress Booking Calendar Contact Form plugin <= 1.2.34 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CodePeople | Booking Calendar Contact Form |
Affected:
n/a , ≤ 1.2.34
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T13:28:59.127383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T18:42:37.853Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "booking-calendar-contact-form",
"product": "Booking Calendar Contact Form",
"vendor": "CodePeople",
"versions": [
{
"changes": [
{
"at": "1.2.35",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.34",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Istv\u00e1n M\u00e1rton (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Booking Calendar Contact Form: from n/a through 1.2.34.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:06.761Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/booking-calendar-contact-form/vulnerability/wordpress-booking-calendar-contact-form-plugin-1-2-34-broken-access-control?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Booking Calendar Contact Form plugin to the latest available version (at least 1.2.35)."
}
],
"value": "Update the WordPress Booking Calendar Contact Form plugin to the latest available version (at least 1.2.35)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Booking Calendar Contact Form plugin \u003c= 1.2.34 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-25037",
"datePublished": "2024-12-09T11:31:37.517Z",
"dateReserved": "2023-02-02T09:58:49.594Z",
"dateUpdated": "2026-04-28T16:08:06.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-36384 (GCVE-0-2023-36384)
Vulnerability from cvelistv5 – Published: 2023-07-18 14:17 – Updated: 2026-04-28 16:08
VLAI?
Title
WordPress Booking Calendar Contact Form Plugin <= 1.2.40 is vulnerable to Cross Site Scripting (XSS)
Summary
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/boo… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CodePeople | Booking Calendar Contact Form |
Affected:
n/a , ≤ 1.2.40
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/booking-calendar-contact-form/wordpress-booking-calendar-contact-form-plugin-1-2-40-cross-site-scripting-xss?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T16:35:12.782830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T17:01:02.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "booking-calendar-contact-form",
"product": "Booking Calendar Contact Form",
"vendor": "CodePeople",
"versions": [
{
"changes": [
{
"at": "1.2.41",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.40",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "BOT (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a01.2.40 versions.\u003c/span\u003e"
}
],
"value": "Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin \u003c=\u00a01.2.40 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:31.402Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/booking-calendar-contact-form/wordpress-booking-calendar-contact-form-plugin-1-2-40-cross-site-scripting-xss?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a01.2.41 or a higher version."
}
],
"value": "Update to\u00a01.2.41 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Booking Calendar Contact Form Plugin \u003c= 1.2.40 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-36384",
"datePublished": "2023-07-18T14:17:40.116Z",
"dateReserved": "2023-06-21T13:04:35.740Z",
"dateUpdated": "2026-04-28T16:08:31.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}