Platform
wordpress
Component
meeting-scheduler-by-vcita
Fixed in
4.5.6
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the vcita Online Booking & Scheduling Calendar for WordPress plugin. This flaw allows attackers to execute unauthorized actions on behalf of authenticated users, potentially leading to unintended modifications of bookings or plugin settings. The vulnerability affects versions from 0.0.0 up to and including 4.5.5. A patch is available in version 4.6.0.
The CSRF vulnerability in vcita's plugin allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could result in unauthorized modifications to booking schedules, user profiles, or plugin configurations. For example, an attacker could create fraudulent bookings, cancel existing appointments, or alter the plugin's settings without the user's knowledge or consent. The impact is amplified if the plugin is used in environments with sensitive data or critical scheduling processes. While direct data exfiltration isn't the primary risk, the ability to manipulate bookings and settings can disrupt operations and damage user trust.
This vulnerability was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits available. The CVSS score is 4.3 (MEDIUM), indicating a moderate risk. It is not currently listed on the CISA KEV catalog. Monitor WordPress security forums and vulnerability databases for any updates regarding active exploitation campaigns.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67472 is to upgrade the vcita Online Booking & Scheduling Calendar for WordPress plugin to version 4.6.0 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing a Content Security Policy (CSP) to restrict the sources from which the plugin can load resources. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this can help prevent CSRF attacks. While not a direct fix, enabling WordPress's core CSRF protection can offer a layer of defense.
Update to version 4.6.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67472 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–4.5.5 of the vcita Online Booking & Scheduling Calendar for WordPress plugin, allowing attackers to forge requests.
You are affected if you are using vcita Online Booking & Scheduling Calendar for WordPress versions 0.0.0 through 4.5.5. Upgrade to 4.6.0 or later to mitigate the risk.
Upgrade the vcita Online Booking & Scheduling Calendar for WordPress plugin to version 4.6.0 or later. Consider implementing a Content Security Policy (CSP) as an interim measure.
As of the current disclosure date, there are no known active exploitation campaigns or public proof-of-concept exploits for CVE-2025-67472.
Refer to the vcita website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-67472.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.