PT-2025-2255 · Vcita · Contact Form/Calls To Action By Vcita

Muhammad Yudha

Published

2025-01-31

Updated

2025-01-31

CVE-2024-13717

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions The Contact Form and Calls To Action by vcita plugin for WordPress versions up to, and including, 2.7.1

Description The issue is related to a missing capability check on the vcita ajax toggle ae and vcita ajax toggle contact functions. This allows authenticated attackers with subscriber-level access and above to enable and disable widgets, resulting in unauthorized modification of data.

Recommendations For versions up to, and including, 2.7.1, update to a version that includes a capability check on the vcita ajax toggle ae and vcita ajax toggle contact functions to prevent unauthorized modification of data. As a temporary workaround, consider restricting access to the vcita ajax toggle ae and vcita ajax toggle contact functions until a patch is available.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2024-13717

Affected Products

Contact Form/Calls To Action By Vcita

PT-2025-2255 · Vcita · Contact Form/Calls To Action By Vcita

CVE-2024-13717

Weakness Enumeration

Related Identifiers

Affected Products

References · 6