Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

vcita — Vulnerabilities & Security Advisories 30

Browse all 30 CVE security advisories affecting vcita. AI-powered Chinese analysis, POCs, and references for each vulnerability.

vcita operates as a white-label business management platform, enabling agencies to deliver client-facing services through a unified interface for scheduling, payments, and communication. Its architecture, which facilitates extensive third-party integrations and customizable frontends, has historically exposed it to a significant attack surface, resulting in thirty recorded Common Vulnerabilities and Exposures. These flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from inadequate input validation and insecure direct object references within its API endpoints. Security assessments reveal that the platform’s complexity in managing multi-tenant data structures has frequently led to authorization bypasses, allowing unauthorized access to sensitive client information. While the vendor has implemented patches for critical issues, the high volume of disclosed CVEs indicates persistent challenges in securing its dynamic, code-heavy environment against automated exploitation attempts.

Top products by vcita: Online Booking & Scheduling Calendar for WordPress by vcita CRM and Lead Management by vcita Event Registration Calendar By vcita Contact Form and Calls To Action by vcita Online Payments – Get Paid with PayPal, Square & Stripe
CVE IDTitleCVSSSeverityPublished
CVE-2025-67559 WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Broken Access Control vulnerability — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-862 5.4 Medium2025-12-09
CVE-2025-67472 WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Cross Site Request Forgery (CSRF) vulnerability — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-352 4.3 Medium2025-12-09
CVE-2025-54677 WordPress Online Booking & Scheduling Calendar for WordPress by vcita Plugin <= 4.5.3 - Arbitrary File Upload Vulnerability — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-434 9.1 Critical2025-08-20
CVE-2025-54676 WordPress Online Booking & Scheduling Calendar for by vcita Plugin plugin <= 4.5.3 - Cross Site Scripting (XSS) Vulnerability — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-79 6.5 Medium2025-08-14
CVE-2025-5240 CRM and Lead Management by vcita <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter — CRM and Lead Management by vcitaCWE-79 6.4 Medium2025-07-22
CVE-2025-32238 WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Sensitive Data Exposure vulnerability — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-209 4.3 Medium2025-04-04
CVE-2024-13702 CRM and Lead Management by vcita <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting — CRM and Lead Management by vcitaCWE-79 6.4 Medium2025-03-26
CVE-2024-13703 CRM and Lead Management by vcita <= 2.7.5 - Missing Authorization to Authenticated (Susbcriber+) Widget Toggle — CRM and Lead Management by vcitaCWE-862 4.3 Medium2025-03-13
CVE-2024-11895 Online Payments – Get Paid with PayPal, Square & Stripe <= 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting — Online Payments – Get Paid with PayPal, Square & StripeCWE-79 6.4 Medium2025-02-18
CVE-2024-11886 Contact Form and Calls To Action by vcita <= 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting — Contact Form and Calls To Action by vcitaCWE-79 6.4 Medium2025-01-31
CVE-2024-13717 Contact Form and Calls To Action by vcita <= 2.7.1 - Missing Authorization to Authenticated (Subscriber+) Contact/Widget Toggle — Contact Form and Calls To Action by vcitaCWE-862 4.3 Medium2025-01-31
CVE-2025-22661 WordPress Online Payments plugin <= 3.20.0 - Cross Site Scripting (XSS) vulnerability — Online Payments – Get Paid with PayPal, Square & StripeCWE-79 6.5 Medium2025-01-21
CVE-2024-11870 Event Registration Calendar By vcita <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting — Event Registration Calendar By vcitaCWE-79 6.4 Medium2025-01-15
CVE-2024-54356 WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5 - Cross Site Request Forgery (CSRF) vulnerability — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-352 5.4 Medium2024-12-16
CVE-2024-9872 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-79 5.4 Medium2024-12-06
CVE-2024-47638 WordPress Online Booking & Scheduling Calendar for WordPress plugin <= 4.4.6 - Reflected Cross Site Scripting (XSS) vulnerability — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-79 7.1 High2024-10-05
CVE-2024-37499 WordPress Online Booking & Scheduling Calendar for WordPress plugin <= 4.4.2 - Local File Inclusion vulnerability — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-22 6.5 Medium2024-07-09
CVE-2024-5791 Appointment Booking and Online Scheduling <= 4.4.2 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-79 7.2 High2024-06-22
CVE-2024-35761 WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.4.0 - Cross Site Scripting (XSS) vulnerability — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-79 6.5 Medium2024-06-21
CVE-2024-5859 Appointment Booking and Online Scheduling <= 4.4.2 - Reflected Cross-Site Scripting — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-79 6.1 Medium2024-06-21
CVE-2023-2414 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.6 - Missing Authorization to Settings Update and Arbitrary File Upload — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-862 5.4 Medium2023-06-09
CVE-2023-2416 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5 - Cross-Site Request Forgery to Account Logout — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-352 5.4 Medium2023-06-03
CVE-2023-2298 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.0 - Unauthenticated Stored Cross-Site Scripting — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-79 7.2 High2023-06-03
CVE-2023-2404 CRM and Lead Management by vcita <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting — CRM and Lead Management by vcitaCWE-79 6.4 Medium2023-06-03
CVE-2023-2415 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Missing Authorization to Account Logout — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-862 5.4 Medium2023-06-03
CVE-2023-2302 Contact Form and Calls To Action by vcita <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting — Contact Form and Calls To Action by vcitaCWE-79 6.4 Medium2023-06-03
CVE-2023-2299 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.2 - Missing Authorization on REST-API — Online Booking & Scheduling Calendar for WordPress by vcitaCWE-862 5.3 Medium2023-06-03
CVE-2023-2406 Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting — Event Registration Calendar By vcitaCWE-79 6.4 Medium2023-06-03
CVE-2023-2407 Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.10.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Event Registration Calendar By vcitaCWE-352 6.1 Medium2023-06-03
CVE-2023-2405 CRM and Lead Management by vcita <= 2.7.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting — CRM and Lead Management by vcitaCWE-352 6.1 Medium2023-06-03

This page lists every published CVE security advisory associated with vcita. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.