VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Apr 23, 2026

Booking Calendar Contact Form Vulnerabilities

Review known vulnerability records for the WordPress plugin Booking Calendar Contact Form (`booking-calendar-contact-form`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-6810, CVE-2025-13318 and CVE-2025-48231, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
2
Patch Coverage
100%
Last Updated
Apr 23, 2026
Priority CVE Quick Links

Fast paths into Booking Calendar Contact Form CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
9
CVE-2016-10909 Critical 1.0.24
CVE-2016-10909 Booking Calendar Contact Form SQL Injection

Booking Calendar Contact Form < 1.0.24 - Blind SQL Injection

CVE-2025-48231 Medium 1.2.59
CVE-2025-48231 Booking Calendar Contact Form Stored Cross-Site Scripting

Booking Calendar Contact Form <= 1.2.58 - Authenticated (Subscriber+) Stored Cross-Site Scripting

CVE-2023-36384 Medium 1.2.41
CVE-2023-36384 Booking Calendar Contact Form Cross-Site Scripting

Booking Calendar Contact Form <= 1.2.40 - Reflected Cross-Site Scripting

CVE-2016-10908 Medium 1.0.24
CVE-2016-10908 Booking Calendar Contact Form Cross-Site Scripting

Booking Calendar Contact Form <= 1.0.23 - Reflected Cross-Site Scripting

CVE-2026-6810 Medium 1.2.64
CVE-2026-6810 Booking Calendar Contact Form Authorization Bypass

Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover

CVE-2025-13318 Medium 1.2.61
CVE-2025-13318 Booking Calendar Contact Form Vulnerability

Booking Calendar Contact Form <= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dex_bccf_ipn' Parameter

CVE-2025-24723 Medium 1.2.56
CVE-2025-24723 Booking Calendar Contact Form Stored Cross-Site Scripting

Booking Calendar Contact Form <= 1.2.55 - Authenticated (Administrator+) Stored Cross-Site Scripting

CVE-2023-25037 Medium 1.2.35
CVE-2023-25037 Booking Calendar Contact Form Cross-Site Request Forgery

Booking Calendar Contact Form <= 1.2.34 - Cross-Site Request Forgery via cpdexbccf_feedback

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Booking Calendar Contact Form so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
10 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 1 high severity finding.
Recent CVEs
CVE-2026-6810, CVE-2025-13318 and CVE-2025-48231
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Booking Calendar Contact Form

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-6810
CVE-2026-6810: Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible f...

Published
Apr 23, 2026
Patched Release
1.2.64
Affected Versions
Versions up to 1.2.63
Next Step
Update to 1.2.64 or newer if supported.
Open CVE-2026-6810 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-13318
CVE-2025-13318: Booking Calendar Contact Form <= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dex_bccf_ipn' Parameter

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possib...

Published
Nov 21, 2025
Patched Release
1.2.61
Affected Versions
Versions up to 1.2.60
Next Step
Update to 1.2.61 or newer if supported.
Open CVE-2025-13318 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-48231
CVE-2025-48231: Booking Calendar Contact Form <= 1.2.58 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.58 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level acces...

Published
Jun 30, 2025
Patched Release
1.2.59
Affected Versions
Versions up to 1.2.58
Next Step
Update to 1.2.59 or newer if supported.
Open CVE-2025-48231 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-24723
CVE-2025-24723: Booking Calendar Contact Form <= 1.2.55 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.55 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level ac...

Published
Jan 24, 2025
Patched Release
1.2.56
Affected Versions
Versions up to 1.2.55
Next Step
Update to 1.2.56 or newer if supported.
Open CVE-2025-24723 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-36384
CVE-2023-36384: Booking Calendar Contact Form <= 1.2.40 - Reflected Cross-Site Scripting

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dex_bccf_calendar_load2' parameter in versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unaut...

Published
Jun 22, 2023
Patched Release
1.2.41
Affected Versions
Versions up to 1.2.40
Next Step
Update to 1.2.41 or newer if supported.
Open CVE-2023-36384 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-25037
CVE-2023-25037: Booking Calendar Contact Form <= 1.2.34 - Cross-Site Request Forgery via cpdexbccf_feedback

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.34. This is due to missing or incorrect nonce validation on the cpdexbccf_feedback function called via the cpdexbccf_feedback AJAX action. This...

Published
Feb 06, 2023
Patched Release
1.2.35
Affected Versions
Versions up to 1.2.34
Next Step
Update to 1.2.35 or newer if supported.
Open CVE-2023-25037 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-25037
CVE-2023-25037: Booking Calendar Contact Form <= 1.2.34 - Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission

The Booking Calendar Contact Form plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cpdexbccf_feedback function called via the cpdexbccf_feedback AJAX action in versions up to, and including, 1.2.34. This makes it pos...

Published
Feb 06, 2023
Patched Release
1.2.35
Affected Versions
Versions up to 1.2.34
Next Step
Update to 1.2.35 or newer if supported.
Open CVE-2023-25037 Report Open CVE Reference
Plugin High Patched: Yes
Booking Calendar Contact Form <= 1.0.23 - Shortcode SQL Injection

The Booking Calendar Contact Form plugin for WordPress is vulnerable to SQL Injection via the ‘calendar’ atrribute in versions up to, and including, 1.0.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Th...

Published
Feb 08, 2016
Patched Release
1.0.24
Affected Versions
Versions up to 1.0.23
Next Step
Update to 1.0.24 or newer if supported.
Open Full Report
Plugin Critical Patched: Yes CVE-2016-10909
CVE-2016-10909: Booking Calendar Contact Form < 1.0.24 - Blind SQL Injection

The Booking Calendar Contact Form plugin for WordPress is vulnerable to blind SQL Injection via the ‘id’ parameter in versions up to, and including, 1.0.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Th...

Published
Feb 08, 2016
Patched Release
1.0.24
Affected Versions
Versions before 1.0.24
Next Step
Update to 1.0.24 or newer if supported.
Open CVE-2016-10909 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2016-10908
CVE-2016-10908: Booking Calendar Contact Form <= 1.0.23 - Reflected Cross-Site Scripting

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in versions up to, and including, 1.0.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

Published
Feb 08, 2016
Patched Release
1.0.24
Affected Versions
Versions up to 1.0.23
Next Step
Update to 1.0.24 or newer if supported.
Open CVE-2016-10908 Report Open CVE Reference