Plataforma
wordpress
Componente
meeting-scheduler-by-vcita
Corrigido em
4.5.6
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the vcita Online Booking & Scheduling Calendar for WordPress plugin. This flaw allows attackers to execute unauthorized actions on behalf of authenticated users, potentially leading to unintended modifications of bookings or plugin settings. The vulnerability affects versions from 0.0.0 up to and including 4.5.5. A patch is available in version 4.6.0.
The CSRF vulnerability in vcita's plugin allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could result in unauthorized modifications to booking schedules, user profiles, or plugin configurations. For example, an attacker could create fraudulent bookings, cancel existing appointments, or alter the plugin's settings without the user's knowledge or consent. The impact is amplified if the plugin is used in environments with sensitive data or critical scheduling processes. While direct data exfiltration isn't the primary risk, the ability to manipulate bookings and settings can disrupt operations and damage user trust.
This vulnerability was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits available. The CVSS score is 4.3 (MEDIUM), indicating a moderate risk. It is not currently listed on the CISA KEV catalog. Monitor WordPress security forums and vulnerability databases for any updates regarding active exploitation campaigns.
Websites utilizing the vcita Online Booking & Scheduling Calendar for WordPress plugin, particularly those with sensitive booking data or critical scheduling processes, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise of one site could lead to attacks against others.
• wordpress / composer / npm:
grep -r 'vcita_meeting_scheduler' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep vcita• wordpress / composer / npm:
wp plugin update --all• generic web: Check for unusual booking activity or unexpected changes to plugin settings. Review WordPress access logs for suspicious requests originating from unfamiliar IP addresses.
disclosure
Status do Exploit
EPSS
0.02% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-67472 is to upgrade the vcita Online Booking & Scheduling Calendar for WordPress plugin to version 4.6.0 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing a Content Security Policy (CSP) to restrict the sources from which the plugin can load resources. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this can help prevent CSRF attacks. While not a direct fix, enabling WordPress's core CSRF protection can offer a layer of defense.
Atualize para a versão 4.6.0, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-67472 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–4.5.5 of the vcita Online Booking & Scheduling Calendar for WordPress plugin, allowing attackers to forge requests.
You are affected if you are using vcita Online Booking & Scheduling Calendar for WordPress versions 0.0.0 through 4.5.5. Upgrade to 4.6.0 or later to mitigate the risk.
Upgrade the vcita Online Booking & Scheduling Calendar for WordPress plugin to version 4.6.0 or later. Consider implementing a Content Security Policy (CSP) as an interim measure.
As of the current disclosure date, there are no known active exploitation campaigns or public proof-of-concept exploits for CVE-2025-67472.
Refer to the vcita website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-67472.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.