CVE-2026-6810

Name of the Vulnerable Software and Affected Versions Booking Calendar Contact Form versions prior to 1.2.64

Description The Booking Calendar Contact Form plugin for WordPress contains an Insecure Direct Object Reference (IDOR) issue—a flaw where an application provides direct access to objects based on user-supplied input. The problem exists in the dex bccf admin int calendar list.inc.php file due to missing validation on a user-controlled key. This allows authenticated attackers with Subscriber-level access or higher to take over other users' calendars and view associated user data.

Recommendations Update the plugin to a version later than 1.2.63. As a temporary workaround, restrict access to the dex bccf admin int calendar list.inc.php file to minimize the risk of exploitation.