CVE-2024-5791
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts via the 'wp_id' parameter in the vcita WordPress plugin. The scripts execute when users access the WordPress admin dashboard, potentially compromising administrator accounts. All WordPress sites using the vulnerable plugin versions are affected.
💻 Affected Systems
- Online Booking & Scheduling Calendar for WordPress by vcita
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to WordPress, leading to complete site takeover, data theft, malware distribution, or ransomware deployment.
Likely Case
Attackers hijack admin sessions to modify content, steal credentials, or install backdoors for persistent access.
If Mitigated
With proper WAF rules and input validation, the attack would be blocked or sanitized, preventing script execution.
🎯 Exploit Status
The vulnerability is straightforward to exploit due to missing authorization and insufficient sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.3 or later
Vendor Advisory: https://wordpress.org/plugins/meeting-scheduler-by-vcita/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin dashboard. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Online Booking & Scheduling Calendar for WordPress by vcita'. 4. Click 'Update Now' if available, or manually update to version 4.4.3+. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Disable the vulnerable plugin
allTemporarily deactivate the plugin until patched to prevent exploitation.
wp plugin deactivate meeting-scheduler-by-vcita
Implement WAF rules
allConfigure web application firewall to block requests containing malicious scripts in 'wp_id' parameter.
🧯 If You Can't Patch
- Remove the plugin entirely if not essential for site functionality.
- Restrict access to wp-admin dashboard using IP whitelisting or additional authentication layers.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is 4.4.2 or lower, it is vulnerable.Check Version:
wp plugin get meeting-scheduler-by-vcita --field=versionVerify Fix Applied:
After updating, confirm the plugin version is 4.4.3 or higher in the same location.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with 'wp_id' parameter containing script tags or JavaScript code
- Multiple failed login attempts followed by successful admin access from new IPs
Network Indicators:
- Incoming traffic to wp-admin with encoded script payloads in parameters
- Outbound connections to suspicious domains from the WordPress server
SIEM Query:
source="wordpress.log" AND ("wp_id" AND ("<script" OR "javascript:" OR "onerror="))🔗 References
- https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/tags/4.4.2/vcita-api-functions.php#L40
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c033171a-d81f-4cae-830b-8bdc4017b85e?source=cve
- https://plugins.trac.wordpress.org/browser/meeting-scheduler-by-vcita/tags/4.4.2/vcita-api-functions.php#L40
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c033171a-d81f-4cae-830b-8bdc4017b85e?source=cve
