cleantalk
Vulnerabilities and Security Researches

Booking Calendar Contact Form, CVE-2025-13318

CVE, Research URL

CVE-2025-13318

Home page URL

Security reports for Booking Calendar Contact Form

Application

Booking Calendar Contact Form

Published on
Nov 22, 2025
Research Description
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.
Affected versions
max 1.2.61.
Status
vulnerable
Previous vulnerability researches
Multi-day Booking Calendar (CVE-2024-51873) , Nov 12, 2024
Booking Calendar and Notification (CVE-2024-13746) , Mar 03, 2025
Booking Calendar and Notification (CVE-2025-31381) , Apr 06, 2025
Booking Calendar and Notification (CVE-2025-31403) , Apr 06, 2025
Booking Calendar Contact Form (CVE-2025-13318) , Dec 11, 2025
New vulnerability
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) (CVE-2026-32430) , Mar 29, 2026
YayMail – WooCommerce Email Customizer (CVE-2026-27327) , Mar 29, 2026
Strong Testimonials (CVE-2026-24957) , Mar 29, 2026
BackWPup – WordPress Backup Plugin (CVE-2025-15041) , Mar 29, 2026
hCaptcha for WordPress (CVE-2026-25315) , Mar 29, 2026