CodePeople Booking Calendar Contact Form
Moderate fix1 remedy
cpe:2.3:a:codepeople:booking_calendar_contact_form:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.2.60
Booking Calendar Contact Form Missing Authorization Vulnerability Allowing Arbitrary Booking Confirmation
Vulnerability
Patched
A vulnerability exists in the Booking Calendar Contact Form plugin for WordPress, in all versions through 1.2.60. The issue is a missing authorization check in the 'dex_bccf_check_IPN_verification' function, which allows unauthenticated users to bypass payment requirements and arbitrarily confirm bookings by manipulating the 'dex_bccf_ipn' parameter.
Impact
Exploitation of this vulnerability allows for unauthorized booking confirmations, bypassing payment requirements.
Remediation
Users can update to version 1.2.61 or a newer patched version to address this vulnerability.
Added: Nov 22, 2025, 9:18 AM
Updated: Nov 22, 2025, 9:18 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
0.6exploitability
8.2remediation
7.7relevance
1.1threat
3.2urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.