CVE-2023-2415

2023-06-0305:15:09

CWE-862

[email protected]

web.nvd.nist.gov

online booking & scheduling

data modification

denial of service

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

39.3%

JSON

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_logout_callback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to logout a vctia connected account which would cause a denial of service on the appointment scheduler.

Affected configurations

Nvd

Node

vcitaonline_booking_\&_scheduling_calendar_for_wordpress_by_vcitaRange≤4.2.10wordpress

VendorProductVersionCPE
vcitaonline_booking_\&_scheduling_calendar_for_wordpress_by_vcita*cpe:2.3:a:vcita:online_booking_\&_scheduling_calendar_for_wordpress_by_vcita:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
vcita	online_booking_\&_scheduling_calendar_for_wordpress_by_vcita	*	cpe:2.3:a:vcita:online_booking_\&_scheduling_calendar_for_wordpress_by_vcita::::::wordpress::*