PT-2023-19447 · Vcita · Online Booking & Scheduling Calendar For Wordpress
Jonas Höbenreich
·
Published
2023-06-03
·
Updated
2025-06-10
·
CVE-2023-2416
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress versions up to, and including, 4.2.10
Description
The issue is related to a missing nonce check on the
vcita logout callback function, which makes it possible for unauthenticated attackers to logout a vcita connected account. This can cause a denial of service on the appointment scheduler via a forged request, granted they can trick a site user into performing an action such as clicking on a link.Recommendations
For versions up to, and including, 4.2.10, update to a version that includes a fix for the missing nonce check on the
vcita logout callback function to prevent Cross-Site Request Forgery attacks.
As a temporary workaround, consider restricting access to the vcita logout callback function until a patch is available.Exploit
Fix
DoS
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Online Booking & Scheduling Calendar For Wordpress