CVE-2016-20070
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
The WordPress Booking Calendar Contact Form plugin version 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts.
Risk Assessment
Attackers with subscriber-level accounts can inject XSS payloads, leading to the execution of arbitrary JavaScript in administrator browsers, posing a serious security threat to the system.
Recommendation
It is recommended to update the plugin to the latest version and implement appropriate mechanisms for verifying privileges and sanitizing input parameters.
Original NVD description (English source)
WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with subscriber-level accounts can inject XSS payloads through parameters like price, name, calendar_language, and email_confirmation_to_user via admin-ajax.php and admin.php endpoints to execute arbitrary JavaScript in administrator browsers.

