Threat Entry Updated 2026-04-24

CVE-2026-6810 - Booking Calendar Contact Form Plugin

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.

PLUGIN Booking Calendar Contact Form

CVE-2026-6810

MEDIUM CVSS 5.3 2026-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-11-25

CVE-2025-13318 - Booking Calendar Contact Form Plugin

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.

PLUGIN Booking Calendar Contact Form

CVE-2025-13318

MEDIUM CVSS 5.3 2025-11-22

Risk Score

Open Full Technical Breakdown