Lucene search

PRIOn knowledge basePRION:CVE-2023-2414

HistoryJun 09, 2023 - 6:16 a.m.

Design/Logic Flaw

2023-06-0906:16:00

PRIOn knowledge base

www.prio-n.com

wordpress

calendar

vulnerability

data modification

capability check

version 4.2.10

authenticated attackers

minimal permissions

subscriber

settings modification

media files

malicious javascript.

4.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.5%

JSON

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_settings_callback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to modify the plugins settings, upload media files, and inject malicious JavaScript.

CPENameOperatorVersion
online_booking_\\&_scheduling_calendarle4.2.10

CPE	Name	Operator	Version
	online_booking_\\&_scheduling_calendar	le	4.2.10

References

blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/trunk/vcita-ajax-function.php

www.wordfence.com/threat-intel/vulnerabilities/id/3c99aab5-a995-44ae-bc14-09f73e6b22c5?source=cve