CVE-2025-54677 — AI Deep Analysis Summary

🚨 **Essence**: Arbitrary File Upload vulnerability in the 'Online Booking & Scheduling Calendar' plugin.…

🛡️ **Root Cause**: CWE-434 (Unrestricted Upload of File with Dangerous Type). 🐛 **Flaw**: The plugin only checks the HTTP `Content-Type` header.…

👥 **Affected**: WordPress Plugin: **Online Booking & Scheduling Calendar for WordPress by vcita**. 📦 **Versions**: **4.5.3 and earlier**. ⚠️ Ensure you are not running these outdated versions.

💻 **Attacker Capabilities**: Upload PHP/webshell files. 🗝️ **Privileges**: Execute arbitrary code on the server. 📂 **Data**: Full read/write access to site files and database.…

🔐 **Auth Required**: Yes. CVSS indicates **PR:H** (Privileges Required: High). 🚶 **Threshold**: Medium. You need valid WordPress admin credentials to trigger the upload endpoint. Not fully open to the public internet. 🛑

🔓 **Public Exploit**: Yes. A PoC is available on GitHub (quetuan03/CVE-2025-54677). 🧪 **Method**: Change `Content-Type` to `image/png` but prepend file signature `GIF87a` to bypass the weak check. 📝

🔍 **Self-Check**: Scan for the plugin name 'Online Booking & Scheduling Calendar for WordPress by vcita'. 📊 **Version Check**: Verify if installed version is ≤ 4.5.3.…

🔧 **Official Fix**: The vendor (vcita) is expected to release a patch. 📅 **Status**: CVE published 2025-08-20. ⏳ **Action**: Check the vendor's official WordPress repository for updates > 4.5.3 immediately.

🚧 **No Patch Workaround**: 1. **Disable/Uninstall** the plugin if not essential. 2. Restrict file upload permissions via `.htaccess` or server config. 3.…

🔥 **Urgency**: **HIGH**. CVSS Score is **9.8** (Critical). 🚨 Even with auth required, RCE is devastating. 🏃 **Action**: Patch or disable immediately upon update availability. Do not ignore this risk!