CVE-2023-2415

Name of the Vulnerable Software and Affected Versions The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress versions up to, and including, 4.2.10

Description The issue is related to a missing capability check on the vcita logout callback function, allowing authenticated attackers with minimal permissions to modify data. This can lead to a denial of service on the appointment scheduler by logging out a connected account. The attackers can have minimal permissions, such as a subscriber.

Recommendations For versions up to, and including, 4.2.10, update to a version higher than 4.2.10 to resolve the issue. As a temporary workaround, consider disabling the vcita logout callback function until a patch is available. Restrict access to the appointment scheduler to minimize the risk of exploitation.