CVE-2023-2414
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.6 - Missing Authorization to Settings Update and Arbitrary File Upload
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_settings_callback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to modify the plugins settings, upload media files, and inject malicious JavaScript.
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_settings_callback function in versions up to, and including, 4.4.6. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to modify the plugins settings, upload arbitrary files, and inject malicious JavaScript (before 4.3.2).
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-04-28 CVE Reserved
- 2023-06-02 CVE Published
- 2024-08-28 First Exploit
- 2024-11-25 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (4)
URL | Date | SRC |
---|---|---|
https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita | 2024-08-28 |
URL | Date | SRC |
---|---|---|
https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-ajax-function.php#L88 | 2023-11-07 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Vcita Search vendor "Vcita" | Online Booking \& Scheduling Calendar Search vendor "Vcita" for product "Online Booking \& Scheduling Calendar" | <= 4.2.10 Search vendor "Vcita" for product "Online Booking \& Scheduling Calendar" and version " <= 4.2.10" | wordpress |
Affected
|