CVE-2024-9872: 
WordPress vulnerability analysis and mitigation

The Online Booking & Scheduling Calendar for WordPress by vcita plugin is affected by a vulnerability (CVE-2024-9872) discovered in December 2024. The vulnerability exists in all versions up to and including 4.5.1, where a missing capability check in the vcitasaveuserdatacallback() function allows unauthorized data modification (NVD CVE).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (Wordfence Intel).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to inject malicious web scripts and update settings in the WordPress installation. This could lead to unauthorized modification of data and potential execution of malicious scripts in the context of other users' sessions (NVD CVE).

A fix has been implemented in the WordPress plugin repository as evidenced by the changeset. Users are advised to update their installations to a version newer than 4.5.1 to address this vulnerability (WordPress Plugin).