CVE-2024-13703

Medium CVSS: 4.3

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae() function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable plugin widgets.

Vendor

Vcita

Product

Crm And Lead Management By Vcita

CWE

CWE-862

Yayın Tarihi

2025-03-13 02:15:11

Güncelleme

2025-05-26 02:16:41

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-862 Crm And Lead Management By Vcita MEDIUM Vcita 2025

Referanslar

https://plugins.trac.wordpress.org/browser/crm-customer-relationship-management-by-vcita/trunk/vcita-ajax-function.php#L6 https://www.wordfence.com/threat-intel/vulnerabilities/id/8e8c2aa5-5770-4b88-b415-40c2aff69d84?source=cve

Benzer Kayıtlar

Medium

CVE-2025-67559

Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-schedul…

High

CVE-2025-67472

Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita mee…

High

CVE-2025-54677

Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPres…

Medium

CVE-2025-54676

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vcita Online Booki…

Unknown

CVE-2025-32238

Generation of Error Message Containing Sensitive Information vulnerability in vcita Online Booking & Scheduling Calendar…

Medium

CVE-2024-13702

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's…