CVE-2025-54677 PoC — WordPress Online Booking & Scheduling Calendar for WordPress by vcita Plugin <= 4.5.3 - Arbitrary File Upload Vulnerabil

Source

https://github.com/quetuan03/CVE-2025-54677

Associated Vulnerability

Title:WordPress Online Booking & Scheduling Calendar for WordPress by vcita Plugin <= 4.5.3 - Arbitrary File Upload Vulnerability (CVE-2025-54677)
Description:Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.3.

Description

WordPress Online Booking & Scheduling Calendar for WordPress by vcita Plugin <= 4.5.3 is vulnerable to a medium priority Arbitrary File Upload

Readme

Sink: Weak check only checks Content-Type, which leads to RCE system arbitrary file upload vulnerability
<img width="1281" height="747" alt="image" src="https://github.com/user-attachments/assets/a82cecea-9919-47ed-9f71-b1522a74f6b9" />
PoC: Change the Content-Type field to image/png and the file signature to GIF87a
<img width="1919" height="1019" alt="image" src="https://github.com/user-attachments/assets/9fd43c57-412e-45f2-ae56-b0135c845ce8" />
<img width="928" height="470" alt="image" src="https://github.com/user-attachments/assets/9b2154f4-95ce-43e5-b943-89f5857cde6c" />

File Snapshot


 [4.0K]  /data/pocs/484ea7f2e63263aff85fa4a9c7627ad135ac6c63
└── [ 585]  README.md

1 directory, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!