Vulnerabilities and security researches forbooking-calendar-contact-form booking-calendar-contact-form

Dec 11, 2025

CVE, Research URL: CVE-2025-13318
Home page URL: Security reports for Booking Calendar Contact Form
Application: Booking Calendar Contact Form
Date: Nov 22, 2025
Research Description: The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.
Affected versions: max 1.2.61.
Status: vulnerable

Jul 06, 2025

CVE, Research URL: CVE-2025-48231
Home page URL: Security reports for Booking Calendar Contact Form
Application: Booking Calendar Contact Form
Date: Jul 04, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form allows Stored XSS. This issue affects Booking Calendar Contact Form: from n/a through 1.2.58.
Affected versions: max 1.2.59.
Status: vulnerable

Jan 26, 2025

CVE, Research URL: CVE-2025-24723
Home page URL: Security reports for Booking Calendar Contact Form
Application: Booking Calendar Contact Form
Date: Jan 24, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodePeople Booking Calendar Contact Form allows Stored XSS. This issue affects Booking Calendar Contact Form: from n/a through 1.2.55.
Affected versions: max 1.2.56.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-25037
Home page URL: Security reports for Booking Calendar Contact Form
Application: Booking Calendar Contact Form
Date: Dec 09, 2024
Research Description: Missing Authorization vulnerability in CodePeople Booking Calendar Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar Contact Form: from n/a through 1.2.34.
Affected versions: max 1.2.35.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2016-10908
Home page URL: Security reports for Booking Calendar Contact Form
Application: Booking Calendar Contact Form
Date: Aug 21, 2019
Research Description: The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.
Affected versions: max 1.0.24.
Status: vulnerable

CVE, Research URL: CVE-2016-10909
Home page URL: Security reports for Booking Calendar Contact Form
Application: Booking Calendar Contact Form
Date: Aug 21, 2019
Research Description: The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.
Affected versions: max 1.2.35.
Status: vulnerable

CVE, Research URL: CVE-2023-36384
Home page URL: Security reports for Booking Calendar Contact Form
Application: Booking Calendar Contact Form
Date: Jul 18, 2023
Research Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions.
Affected versions: max 1.2.41.
Status: vulnerable