WordPress Plugin Vulnerabilities

Online Booking & Scheduling Calendar for WordPress by vcita < 4.5 - Subscriber+ Settings Update & Stored XSS

Description

The plugin does not apply capability checks on the vcita_save_settings_callback function, making it possible for attackers with low privileges, like subscribers, to modify the plugin's settings, upload media files, and conduct XSS attacks.

Affects Plugins

Plugin icon
meeting-scheduler-by-vcita
Fixed in 4.5

References

CVE
CVE-2023-2414
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3c99aab5-a995-44ae-bc14-09f73e6b22c5

Miscellaneous

Original Researcher
Jonas Höbenreich
Verified
No
WPVDB ID
eeca4228-7239-4064-8b7c-7eea2ece3cd0

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2024-12-05 (about 1 year ago)

Other

Published
Title
Published
2018-04-01
Title
WordPress File Upload <= 4.3.2 - Security Issue in Shortcodes
Published
2014-08-01
Title
WordPress 2.9 - Failure to Restrict URL Access
Published
2024-03-28
Title
Pods < 3.1 - Contributor+ Remote Code Execution
Published
2013-07-03
Title
WordPress 3.5.2 - SWFUpload Content Spoofing
Published
2024-10-09
Title
ivalt plugin contains malicious JS <= 1.0.0