Data Modification Vulnerability in vcita Plugin for WordPress
CVE-2024-13717
4.3MEDIUM
Key Information:
- Vendor
- WordPress
- Vendor
- CVE Published:
- 31 January 2025
Summary
The vcita plugin for WordPress, specifically in the Contact Form and Calls To Action functionality, is susceptible to unauthorized data manipulation. This arises from the absence of a capability check within the vcita_ajax_toggle_ae and vcita_ajax_toggle_contact functions. As a result, authenticated users with subscriber-level access and above may exploit this flaw to enable or disable widgets without proper authorization. All versions up to and including 2.7.1 are impacted. Organizations using this plugin should take immediate action to mitigate potential risks associated with this vulnerability.
Affected Version(s)
Contact Form and Calls To Action by vcita * <= 2.7.1
References
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
muhammad yudha