Description
Generation of Error Message Containing Sensitive Information vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Retrieve Embedded Sensitive Data.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.
Published: 2025-04-04
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The affected WordPress plugin contains a flaw where error messages expose embedded sensitive data. This weakness allows an attacker, by provoking an error, to retrieve information that should be protected. The vulnerability is identified as CWE-209, indicating that sensitive data is revealed through improper error handling, leading to potential data confidentiality breaches.

Affected Systems

WordPress sites using the "Online Booking & Scheduling Calendar for WordPress by vcita" plugin are impacted. Versions from the earliest release through 4.5.5 are vulnerable. No other versions are listed as affected, so upgrades beyond 4.5.5 should eliminate the issue.

Risk and Exploitability

The CVSS score of 4.3 suggests moderate severity, but the EPSS score of less than 1% indicates a low probability that the vulnerability is actively exploited in the wild. Since the plugin is web‑accessible, an attacker could trigger the error message through normal usage or crafted requests, causing sensitive data leakage. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. The risk primarily depends on whether the plugin’s errors are exposed to end users; disabling detailed errors mitigates the impact.

Generated by OpenCVE AI on May 1, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the vcita plugin to a version newer than 4.5.5, which removes the sensitive data exposure flaw.
  • Disable detailed PHP error reporting in the production environment (set error_reporting to E_ERROR or lower) so that error messages do not reveal confidential information.
  • Perform security testing that deliberately triggers error conditions on the plugin to confirm that no sensitive data is displayed.

Generated by OpenCVE AI on May 1, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9803 Generation of Error Message Containing Sensitive Information vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Retrieve Embedded Sensitive Data. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Generation of Error Message Containing Sensitive Information vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Retrieve Embedded Sensitive Data. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.2. Generation of Error Message Containing Sensitive Information vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Retrieve Embedded Sensitive Data.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.
Title WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.2 - Sensitive Data Exposure vulnerability WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Sensitive Data Exposure vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Fri, 20 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Vcita online Booking \& Scheduling Calendar
CPEs cpe:2.3:a:vcita:online_booking_\&_scheduling_calendar_for_wordpress_by_vcita:*:*:*:*:*:wordpress:*:* cpe:2.3:a:vcita:online_booking_\&_scheduling_calendar:*:*:*:*:*:wordpress:*:*
Vendors & Products Vcita online Booking \& Scheduling Calendar For Wordpress By Vcita
Vcita online Booking \& Scheduling Calendar

Mon, 09 Jun 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Vcita
Vcita online Booking \& Scheduling Calendar For Wordpress By Vcita
CPEs cpe:2.3:a:vcita:online_booking_\&_scheduling_calendar_for_wordpress_by_vcita:*:*:*:*:*:wordpress:*:*
Vendors & Products Vcita
Vcita online Booking \& Scheduling Calendar For Wordpress By Vcita

Fri, 04 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Generation of Error Message Containing Sensitive Information vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Retrieve Embedded Sensitive Data. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.2.
Title WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-209
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Vcita Online Booking \& Scheduling Calendar
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:02:23.350Z

Reserved: 2025-04-04T10:01:59.469Z

Link: CVE-2025-32238

cve-icon Vulnrichment

Updated: 2025-04-04T19:38:49.417Z

cve-icon NVD

Status : Modified

Published: 2025-04-04T16:15:33.233

Modified: 2026-04-23T15:28:48.800

Link: CVE-2025-32238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:30:04Z

Weaknesses