CVE-2024-9872

EPSS 0.15%
Veröffentlicht 06.12.2024 09:15:09
Zuletzt bearbeitet 20.02.2026 20:40:34
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_user_data_callback() function in all versions up to, and including, 4.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts and update settings.

Mögliche Gegenmaßnahme

Online Booking & Scheduling Calendar for WordPress by vcita: Update to version 4.5.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Online Booking & Scheduling Calendar for WordPress by vcita

Version *-4.5.1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vcita ≫ Online Booking & Scheduling Calendar SwPlatformwordpress Version < 4.5.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.352

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://plugins.trac.wordpress.org/changeset/3200129/meeting-scheduler-by-vcita/trunk/vcita-ajax-function.php

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/963c2d10-692b-4447-8d0b-7ccc2e533f01?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/963c2d10-692b-4447-8d0b-7ccc2e533f01

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-9872

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-9872

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-9872

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-9872