cbcvebase.

Codepeople Booking Calendar Contact Form vulnerabilities

8 known vulnerabilities affecting codepeople/booking_calendar_contact_form.

Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2016-10909P3CRITICALCVSS 9.8fixed in 1.0.242019-08-21
CVE-2016-10909 [CRITICAL] CWE-89 CVE-2016-10909: The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection. The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.
nvd
CVE-2025-13318P4MEDIUMCVSS 5.3≤ 1.2.602025-11-22
CVE-2025-13318 [MEDIUM] CWE-862 CVE-2025-13318: The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and by
nvd
CVE-2026-6810P4MEDIUMCVSS 5.3≤ 1.2.632026-04-24
CVE-2026-6810 [MEDIUM] CWE-639 CVE-2026-6810: The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Refer The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to ta
nvd
CVE-2025-48231P4MEDIUMCVSS 6.5≤ 1.2.582025-07-04
CVE-2025-48231 [MEDIUM] CWE-79 CVE-2025-48231: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.58.
nvd
CVE-2023-36384P4MEDIUMCVSS 6.1≥ n/a, ≤ 1.2.402023-07-18
CVE-2023-36384 [MEDIUM] CWE-79 CVE-2023-36384: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Fo Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions.
nvd
CVE-2016-10908P4MEDIUMCVSS 6.1fixed in 1.0.242019-08-21
CVE-2016-10908 [MEDIUM] CWE-79 CVE-2016-10908: The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS. The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.
nvd
CVE-2025-24723P4MEDIUMCVSS 5.9≤ 1.2.552025-01-24
CVE-2025-24723 [MEDIUM] CWE-79 CVE-2025-24723: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form booking-calendar-contact-form allows Stored XSS.This issue affects Booking Calendar Contact Form: from n/a through <= 1.2.55.
nvd
CVE-2023-25037P4MEDIUMCVSS 4.3≥ n/a, ≤ 1.2.342024-12-09
CVE-2023-25037 [MEDIUM] CWE-862 CVE-2023-25037: Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting In Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34.
nvd
Codepeople Booking Calendar Contact Form vulnerabilities | cvebase