cleantalk
Vulnerabilities and Security Researches

Booking Calendar Contact Form, CVE-2026-6810

CVE, Research URL

CVE-2026-6810

Home page URL

Security reports for Booking Calendar Contact Form

Application

Booking Calendar Contact Form

Published on
Apr 24, 2026
Research Description
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.
Affected versions
max 1.2.64.
Status
vulnerable
Previous vulnerability researches
Booking Calendar Contact Form (CVE-2025-13318) , Dec 11, 2025
Booking Calendar Contact Form (CVE-2025-48231) , Jul 06, 2025
Booking Calendar Contact Form (CVE-2026-6810) , Apr 25, 2026
Booking Calendar Contact Form (CVE-2025-24723) , Jan 26, 2025
Booking Calendar Contact Form (CVE-2016-10908) , Jun 06, 2024
New vulnerability
WordPress Books Gallery (CVE-2026-5347) , Apr 26, 2026
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course (CVE-2026-39524) , Apr 26, 2026
Newsletter – Send awesome emails from WordPress (CVE-2025-3582) , Apr 26, 2026
Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Car (CVE-2024-4002) , Apr 26, 2026
Court Reservation – Manage Your Court Bookings Online (CVE-2026-1508) , Apr 26, 2026