Description
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.3.
Published: 2025-08-20
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to upload arbitrary file types through the booking plugin’s upload endpoint because the plugin does not validate MIME types or inspect file contents. A malicious user can thus place a script such as a PHP file on the server. If the file is executed via a browser request or by exploiting server execution policies, the attacker can run arbitrary code on the WordPress installation, effectively compromising the site.

Affected Systems

The affected product is the vcita Online Booking & Scheduling Calendar for WordPress plugin, with all releases up to and including version 4.5.3. WordPress sites that have not upgraded beyond 4.5.3 and that allow unauthenticated or low-level authenticated access to the upload functionality are at risk.

Risk and Exploitability

The flaw carries a CVSS score of 9.1, denoting critical severity, while the EPSS score is below 1%, indicating a low probability of immediate exploitation. Nonetheless, the readily exploitable server-side upload flaw and the plugin’s common usage mean that a determined adversary could target the system. The vulnerability is not in the CISA KEV catalog, but the likely attack vector is a web-based file upload performed by a user with permission to add bookings, and the absence of MIME validation makes exploitation straightforward.

Generated by OpenCVE AI on April 30, 2026 at 08:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the vcita booking plugin to the latest released version that includes the file-upload validation fix.
  • Configure the plugin or server to allow only safe MIME types—e.g., images and documents—reject all other file types, or completely disable the upload feature if it is not needed for your workflow.
  • Ensure that the directory used for uploaded files has restrictive permissions and is placed outside the web root or configured so that uploaded files cannot be executed by the web server.

Generated by OpenCVE AI on April 30, 2026 at 08:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28563 Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.3. Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.3.
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Fri, 12 Dec 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Vcita online Booking \& Scheduling Calendar
CPEs cpe:2.3:a:vcita:online_booking_\&_scheduling_calendar:*:*:*:*:*:wordpress:*:*
Vendors & Products Vcita online Booking \& Scheduling Calendar

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Vcita
Vcita online Booking & Scheduling Calendar For Wordpress By Vcita
Wordpress
Wordpress wordpress
Vendors & Products Vcita
Vcita online Booking & Scheduling Calendar For Wordpress By Vcita
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.3.
Title WordPress Online Booking & Scheduling Calendar for WordPress by vcita Plugin <= 4.5.3 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Vcita Online Booking & Scheduling Calendar For Wordpress By Vcita Online Booking \& Scheduling Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:33.894Z

Reserved: 2025-07-28T10:55:49.520Z

Link: CVE-2025-54677

cve-icon Vulnrichment

Updated: 2025-08-20T13:56:29.168Z

cve-icon NVD

Status : Modified

Published: 2025-08-20T08:15:49.030

Modified: 2026-04-23T15:32:48.370

Link: CVE-2025-54677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:00:19Z

Weaknesses