CVE-2023-2303

🗓️ 03 Jun 2023 04:35:13Reported by WordfenceType

cve🔗 web.nvd.nist.gov👁 41 Views🌐 WEB

The vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 2.6.4

Reporter	Title	Published	Views	Family All 15
ATTACKERKB	CVE-2023-2303	3 Jun 202305:15	–	attackerkb
Circl	CVE-2023-2303	3 Jun 202312:26	–	circl
CNNVD	WordPress plugin Contact Form and Calls To Action by vcita 跨站请求伪造漏洞	3 Jun 202300:00	–	cnnvd
Cvelist	CVE-2023-2303 Contact Form and Calls To Action by vcita <= 4.10.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting	3 Jun 202304:35	–	cvelist
EUVD	EUVD-2023-33809	3 Oct 202520:07	–	euvd
NVD	CVE-2023-2303	3 Jun 202305:15	–	nvd
OSV	CVE-2023-2303	3 Jun 202305:15	–	osv
Patchstack	WordPress Contact Form and Calls To Action by vcita Plugin <= 2.7.1 is vulnerable to Cross Site Scripting (XSS)	5 Jun 202300:00	–	patchstack
Prion	Cross site request forgery (csrf)	3 Jun 202305:15	–	prion
Positive Technologies	PT-2023-18825 · Vcita · Contact Form/Calls To Action	3 Jun 202300:00	–	ptsecurity

NVD

Vulners

Node

vcita contact_form_and_calls_to_action_by_vcitaRange≤2.6.4wordpress

[
  {
    "vendor": "eyale-vc",
    "product": "Contact Form Builder by vcita",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "4.10.5",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/2345c972-9fd4-4709-8bde-315ab54f60e2
plugins	www.plugins.trac.wordpress.org/changeset/3257683/lead-capturing-call-to-actions-by-vcita/trunk/vcita-callback.php
plugins	www.plugins.trac.wordpress.org/browser/lead-capturing-call-to-actions-by-vcita/trunk/vcita-callback.php
blog	www.blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

Parameter	Position	Path	Description	CWE
success	query param	/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php	CSRF vulnerability allowing an attacker to modify plugin settings and inject scripts via a forged request.	CWE-352
first_name	query param	/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php	CSRF vulnerability allowing an attacker to modify plugin settings and inject scripts via a forged request.	CWE-352
last_name	query param	/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php	CSRF vulnerability allowing an attacker to modify plugin settings and inject scripts via a forged request.	CWE-352
title	query param	/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php	CSRF vulnerability allowing an attacker to modify plugin settings and inject scripts via a forged request.	CWE-352
confirmation_token	query param	/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php	CSRF vulnerability allowing an attacker to modify plugin settings and inject scripts via a forged request.	CWE-352
confirmed	query param	/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php	CSRF vulnerability allowing an attacker to modify plugin settings and inject scripts via a forged request.	CWE-352
engage_delay	query param	/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php	CSRF vulnerability allowing an attacker to modify plugin settings and inject scripts via a forged request.	CWE-352
implementation_key	query param	/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php	CSRF vulnerability allowing an attacker to modify plugin settings and inject scripts via a forged request.	CWE-352
email	query param	/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php	CSRF vulnerability allowing an attacker to modify plugin settings and inject scripts via a forged request.	CWE-352

08 Apr 2026 17:16Current

6.7Medium risk

Vulners AI Score6.7

CVSS 3.16.1

EPSS0.00254

SSVC

CWE-352