CVE-2016-20084: WordPress Booking Calendar Privilege Escalation

CVE-2016-20084 Overview

CVE-2016-20084 affects the WordPress appointment-booking-calendar plugin version 1.1.24. The plugin exposes multiple privilege escalation paths that allow unauthenticated attackers to modify calendar settings through admin.php parameters. Attackers can inject persistent JavaScript payloads into the ict and ics options or the calendar name parameter using crafted GET requests. The stored payload executes when an administrator views the calendar or the plugin's administration interface. The flaw is tracked under CWE-79 (Cross-Site Scripting) and combines missing authorization with absent input sanitization on plugin configuration endpoints.

Critical Impact
Unauthenticated attackers can persist arbitrary JavaScript in plugin settings, leading to administrator session compromise and full WordPress site takeover when an administrator loads the affected pages.

Affected Products

WordPress plugin appointment-booking-calendar version 1.1.24
WordPress sites using the Booking Calendar Contact Form by dwbooster with the vulnerable plugin installed
Any administrator session interacting with the plugin's admin interface

Discovery Timeline

2026-06-15 - CVE-2016-20084 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2016-20084

Vulnerability Analysis

The appointment-booking-calendar plugin exposes administrative configuration actions through admin.php without enforcing capability checks or nonce validation. Unauthenticated requests can reach handlers that update plugin options such as ict and ics, as well as the calendar name parameter. Because the handlers neither verify the caller's privileges nor sanitize input, attacker-controlled strings are stored verbatim in the WordPress options table. When an administrator subsequently renders the calendar settings page or any front-end view that reflects these values, the browser parses the stored payload as HTML and executes the embedded JavaScript in the administrator's session context.

Root Cause

The root cause is twofold. First, the plugin fails to gate state-changing operations behind current_user_can() checks or WordPress nonces, producing broken access control on configuration endpoints. Second, the plugin stores the ict, ics, and name parameters without output encoding or input filtering, producing a stored cross-site scripting condition mapped to [CWE-79].

Attack Vector

The attack vector is network-based and requires no authentication. An attacker issues a GET request to the plugin's admin.php entry point with malicious values for the ict, ics, or calendar name parameters. The request silently mutates the plugin's stored configuration. The payload then fires when the WordPress administrator visits the plugin's settings page, browses a calendar that renders the tainted value, or otherwise loads a view that echoes the stored option. JavaScript executing in the administrator's context can create new admin accounts, exfiltrate session cookies, or modify site content. A public proof of concept is available at Exploit-DB #39341 and detailed in the VulnCheck Advisory.

No verified exploit code is reproduced here. Refer to the linked advisories for the parameter-level request structure.

Detection Methods for CVE-2016-20084

Indicators of Compromise

Unexpected <script>, onerror=, or onload= substrings in the wp_options table for keys associated with the appointment-booking-calendar plugin
GET requests to admin.php containing the ict, ics, or name parameters originating from unauthenticated sources
New WordPress administrator accounts created shortly after administrator sessions interacted with the plugin

Detection Strategies

Review WordPress access logs for admin.php requests carrying the ict, ics, or calendar name parameters without an authenticated session cookie
Hash and compare plugin option values against a known-good baseline to identify tampered configuration
Inspect rendered HTML on calendar and plugin administration pages for inline script tags that did not exist in the original templates

Monitoring Recommendations

Forward WordPress web server and PHP application logs to a centralized analytics platform for query-driven hunting
Alert on outbound HTTP requests from administrator browsers to unfamiliar domains following access to the plugin admin pages
Track creation of WordPress users with the administrator role and correlate against recent plugin configuration changes

How to Mitigate CVE-2016-20084

Immediate Actions Required

Disable or remove the appointment-booking-calendar plugin version 1.1.24 from any WordPress installation until an updated release is verified
Audit the wp_options table for tampered values in plugin-controlled keys and restore from a clean backup if injection is found
Rotate WordPress administrator credentials and invalidate active sessions in case stored payloads have already fired

Patch Information

Review vendor materials at WordPress Calendar Contact Form for the latest plugin release. Upgrade to a version published after 1.1.24 that adds capability checks, nonce validation, and output encoding on the affected parameters. Confirm the patched build addresses both the privilege escalation and the stored XSS conditions before redeploying.

Workarounds

Restrict access to wp-admin/admin.php at the web server or WAF layer so that only authenticated administrators can reach plugin endpoints
Deploy a Web Application Firewall rule that blocks unauthenticated GET requests containing the ict, ics, or name parameters targeting the plugin
Apply Content Security Policy headers that disallow inline script execution on WordPress administration pages to limit XSS payload impact

bash

# Example WAF rule (ModSecurity) to block unauthenticated configuration changes
SecRule REQUEST_URI "@contains /wp-admin/admin.php" \
  "chain,deny,status:403,id:1020084,msg:'Block appointment-booking-calendar param tampering'"
  SecRule ARGS_NAMES "@rx ^(ict|ics|name)$" \
    "chain"
    SecRule &REQUEST_COOKIES:wordpress_logged_in_ "@eq 0"