Lucene search

WordfenceCVELIST:CVE-2023-2415

HistoryJun 03, 2023 - 4:35 a.m.

CVE-2023-2415

2023-06-0304:35:15

Wordfence

www.cve.org

wordpress

online booking

vulnerability

data modification

vcita logout

denial of service

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

39.3%

JSON

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_logout_callback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to logout a vctia connected account which would cause a denial of service on the appointment scheduler.

CNA Affected

[
  {
    "vendor": "vcita",
    "product": "Online Booking & Scheduling Calendar for WordPress by vcita",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "4.2.10",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-ajax-function.php#L55

www.wordfence.com/threat-intel/vulnerabilities/id/731cbeed-d4aa-448f-878a-8c51a3da4e18?source=cve

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

39.3%

JSON

Related for CVELIST:CVE-2023-2415