CVE-2025-67472 – This CSRF vulnerability in vcita's WordPress bo... (How to Fix)

Q: What is the severity of CVE-2025-67472?

CVE-2025-67472 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in vcita's WordPress booking plugin allows attackers to trick authenticated administrators into performing unintended actions, such as changing plugin settings or potentially compromising the WordPress site. It affects all WordPress sites running the vcita Online Booking & Scheduling Calendar plugin version 4.5.5 or earlier.

📋 TL;DR

This CSRF vulnerability in vcita's WordPress booking plugin allows attackers to trick authenticated administrators into performing unintended actions, such as changing plugin settings or potentially compromising the WordPress site. It affects all WordPress sites running the vcita Online Booking & Scheduling Calendar plugin version 4.5.5 or earlier.

💻 Affected Systems

Products:

Online Booking & Scheduling Calendar for WordPress by vcita

Versions: <= 4.5.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress administrator to be logged in and visit a malicious page while authenticated.

📦 What is this software?

Online Booking \& Scheduling Calendar by Vcita

View all CVEs affecting Online Booking \& Scheduling Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover if attacker can trick admin into executing malicious requests that modify critical WordPress settings or install backdoors.

🟠

Likely Case

Unauthorized changes to booking system settings, appointment data manipulation, or plugin configuration changes leading to service disruption.

🟢

If Mitigated

No impact if proper CSRF tokens are implemented and validated by the plugin.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to weaponize once the vulnerable endpoints are identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 4.5.5

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/meeting-scheduler-by-vcita/vulnerability/wordpress-online-booking-scheduling-calendar-for-wordpress-by-vcita-plugin-4-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Online Booking & Scheduling Calendar for WordPress by vcita'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Implement CSRF Protection via Security Plugin

all

Use WordPress security plugins that add CSRF protection globally

Restrict Admin Access

all

Limit administrator access to trusted networks only

🧯 If You Can't Patch

Disable the vcita plugin temporarily until patching is possible
Implement strict Content Security Policy (CSP) headers to restrict cross-origin requests

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for vcita Online Booking & Scheduling Calendar version

Check Version:

wp plugin list --name='Online Booking & Scheduling Calendar for WordPress by vcita' --field=version

Verify Fix Applied:

Verify plugin version is > 4.5.5 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to vcita plugin endpoints from same IP with different referrers
Unexpected changes to booking settings without corresponding admin actions

Network Indicators:

Cross-origin requests to /wp-admin/admin-ajax.php with vcita-specific actions

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php") AND (query_string="action=vcita_*") AND referrer_domain!=site_domain

📊 Metadata

CVE ID: CVE-2025-67472

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.02% exploit probability (4.9th percentile)

Published: December 9, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/meeting-scheduler-by-vcita/vulnerability/wordpress-online-booking-scheduling-calendar-for-wordpress-by-vcita-plugin-4-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67472, you might also want to check these: