CVE-2024-5791

Name of the Vulnerable Software and Affected Versions: The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress versions up to, and including, 4.4.2

Description: The issue is related to Stored Cross-Site Scripting via the wp id parameter due to missing authorization checks on the processAction function, as well as insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a wp-admin dashboard.

Recommendations: For versions up to, and including, 4.4.2, update the plugin to a version higher than 4.4.2 to resolve the issue. As a temporary workaround, consider restricting access to the wp id parameter and the processAction function until a patch is available.