{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2016-20069","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2026-06-14T18:27:45.187Z","datePublished":"2026-06-15T12:00:39.584Z","dateUpdated":"2026-06-15T19:24:44.517Z"},"containers":{"cna":{"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2026-06-15T12:00:39.584Z"},"datePublic":"2016-02-08T00:00:00.000Z","title":"WordPress Booking Calendar Contact Form 1.0.23 SQL Injection","descriptions":[{"lang":"en","value":"WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information."}],"problemTypes":[{"descriptions":[{"lang":"en","description":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","cweId":"CWE-89","type":"CWE"}]}],"affected":[{"vendor":"dwbooster","product":"Booking Calendar Contact Form","versions":[{"version":"0","status":"affected","versionType":"semver","lessThanOrEqual":"1.0.23"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.8,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS"},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","version":"3.1"},"format":"CVSS"}],"references":[{"url":"https://www.exploit-db.com/exploits/39423","name":"ExploitDB-39423","tags":["exploit"]},{"url":"http://wordpress.dwbooster.com/","name":"Official Product Homepage","tags":["product"]},{"name":"VulnCheck Advisory: WordPress Booking Calendar Contact Form 1.0.23 SQL Injection","tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/wordpress-booking-calendar-contact-form-sql-injection-2"}],"credits":[{"lang":"en","value":"Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]","type":"finder"}],"x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-15T15:34:07.153143Z","id":"CVE-2016-20069","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-15T19:24:44.517Z"}}]}}