CVE-2024-9872

MEDIUM

WordPress vcita < 4.5.1 - Authenticated Stored XSS via vcita_save_user_data_callback

Title source: llm
STIX 2.1

Description

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_user_data_callback() function in all versions up to, and including, 4.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts and update settings.

Scores

CVSS v3 5.4
EPSS 0.0025
EPSS Percentile 16.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
vcita/Online Booking & Scheduling Calendar for WordPress by vcita < 4.5.1
vcita/online_booking_\&_scheduling_calendar < 4.5.2
vcita/online_booking_\&_scheduling_calendar_for_wordpress_by_vcita < 4.5.2
Published Dec 06, 2024
Tracked Since Feb 18, 2026