CVE-2025-67559 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2025-67559?

CVE-2025-67559 has a CVSS score of 5.4 (MEDIUM). This CVE describes a Missing Authorization vulnerability in the vcita Online Booking & Scheduling Calendar WordPress plugin that allows attackers to exploit incorrectly configured access control security levels. It affects WordPress sites using this plugin from any version up to and including 4.5.5, potentially allowing unauthorized access to functionality or data.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the vcita Online Booking & Scheduling Calendar WordPress plugin that allows attackers to exploit incorrectly configured access control security levels. It affects WordPress sites using this plugin from any version up to and including 4.5.5, potentially allowing unauthorized access to functionality or data.

💻 Affected Systems

Products:

Online Booking & Scheduling Calendar for WordPress by vcita

Versions: n/a through <= 4.5.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with this specific plugin installed and activated.

📦 What is this software?

Online Booking \& Scheduling Calendar by Vcita

View all CVEs affecting Online Booking \& Scheduling Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify booking settings, access sensitive user data, or manipulate scheduling functionality that should be restricted to administrators.

🟠

Likely Case

Unauthorized users could access or modify booking configurations, potentially disrupting business operations or exposing limited sensitive information.

🟢

If Mitigated

With proper access controls and network segmentation, impact would be limited to the plugin's functionality without compromising the broader WordPress installation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the WordPress site but not necessarily administrative privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >4.5.5

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/meeting-scheduler-by-vcita/vulnerability/wordpress-online-booking-scheduling-calendar-for-wordpress-by-vcita-plugin-4-5-5-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Online Booking & Scheduling Calendar for WordPress by vcita'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate meeting-scheduler-by-vcita

Restrict Access

all

Use web application firewall rules to restrict access to plugin endpoints

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the WordPress admin interface
Enable detailed logging and monitoring for unauthorized access attempts to plugin functionality

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'Online Booking & Scheduling Calendar for WordPress by vcita' version 4.5.5 or lower

Check Version:

wp plugin get meeting-scheduler-by-vcita --field=version

Verify Fix Applied:

Verify plugin version is greater than 4.5.5 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /wp-content/plugins/meeting-scheduler-by-vcita/ endpoints
Unusual booking or scheduling modifications from non-admin users

Network Indicators:

HTTP requests to plugin-specific endpoints from unauthorized IP addresses

SIEM Query:

source="wordpress.log" AND ("meeting-scheduler-by-vcita" OR "vcita") AND (status=403 OR status=401)

📊 Metadata

CVE ID: CVE-2025-67559

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-862

EPSS Score: 0.03% exploit probability (9th percentile)

Published: December 9, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/meeting-scheduler-by-vcita/vulnerability/wordpress-online-booking-scheduling-calendar-for-wordpress-by-vcita-plugin-4-5-5-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67559, you might also want to check these: