{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6810", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-21T17:34:46.594Z", "datePublished": "2026-04-24T05:29:38.488Z", "dateUpdated": "2026-04-24T13:55:26.615Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T05:29:38.488Z"}, "affected": [{"vendor": "codepeople", "product": "Booking Calendar Contact Form", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.63", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar."}], "title": "Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3977d10-239d-4b83-ab0c-ad165485498d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L71"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L71"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L608"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf.php#L608"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3512197%40booking-calendar-contact-form&new=3512197%40booking-calendar-contact-form&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2026-04-21T17:49:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-23T16:30:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T13:54:56.912135Z", "id": "CVE-2026-6810", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:55:26.615Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6810", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T13:54:56.912135Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:55:03.193Z"}}], "cna": {"title": "Booking Calendar Contact Form <= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "codepeople", "product": "Booking Calendar Contact Form", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.63"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-21T17:49:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-23T16:30:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3977d10-239d-4b83-ab0c-ad165485498d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L71"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L71"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L608"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf.php#L608"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3512197%40booking-calendar-contact-form&new=3512197%40booking-calendar-contact-form&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T05:29:38.488Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6810", "state": "PUBLISHED", "dateUpdated": "2026-04-24T13:55:26.615Z", "dateReserved": "2026-04-21T17:34:46.594Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-24T05:29:38.488Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar."}], "id": "CVE-2026-6810", "lastModified": "2026-04-24T14:38:26.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-24T06:16:08.790", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf.php#L608"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.63/dex_bccf_admin_int_calendar_list.inc.php#L71"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L608"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf_admin_int_calendar_list.inc.php#L71"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3512197%40booking-calendar-contact-form&new=3512197%40booking-calendar-contact-form&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3977d10-239d-4b83-ab0c-ad165485498d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.63]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Booking Calendar Contact Form", "source": "cna", "vendor": "codepeople"}, "product": "booking_calendar_contact_form", "vendor": "codepeople"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T20:24:16.071478+00:00", "value": {"mitigation_remediation": ["Upgrade the Booking Calendar Contact Form plugin to a version newer than 1.2.63.", "Limit the use of Subscriber or higher user roles to trusted individuals and review role capabilities to reduce unnecessary privileges.", "If an update cannot be performed immediately, block direct access to the dex_bccf_admin_int_calendar_list.inc.php script by applying web\u2011server rules or using a security plugin that restricts file access based on user roles."], "summary": {"action": "Patch", "impact": "Calendar takeover and unauthorized data exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Booking Calendar Contact Form plugin up to and including version 1.2.63. Any WordPress site hosting this plugin at or below that version is at risk. Operators should confirm the installed plugin version via the WordPress admin interface and plan an upgrade.", "description_and_impact": "The Booking Calendar Contact Form plugin for WordPress allows a user who has logged in with Subscriber-level permissions or higher to specify a calendar identifier in the dex_bccf_admin_int_calendar_list.inc.php file without proper validation. This insecure direct object reference flaw enables an attacker to view and potentially modify another user\u2019s calendar data, resulting in a moderate breach of confidentiality and integrity.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. An EPSS score of less than 1% suggests that active exploitation is unlikely currently, and the vulnerability is not cataloged in the CISA Known Exploited Vulnerabilities list, further reducing urgency. Exploitation requires authenticated access as a Subscriber or higher; the attacker can then supply a target calendar ID and gain unauthorized access to that calendar\u2019s data. The combination of internal authentication and lack of ownership validation makes this attack straightforward for anyone with legitimate site credentials."}}}}, "created": "2026-04-28T04:00:05.165819+00:00", "updated": "2026-04-28T20:30:06.188480+00:00", "vendors": ["codepeople", "codepeople$PRODUCT$booking_calendar_contact_form", "wordpress", "wordpress$PRODUCT$wordpress"]}