CVE-2025-32238 MEDIUM

CVE-2025-32238: WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Sensitive Data Exposure vulnerability

Vendor Vcita
Product Online Booking & Scheduling Calendar for WordPress by vcita
Weakness CWE-209 · Error message info leak
Published April 4, 2025
Last update May 12, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Generation of Error Message Containing Sensitive Information vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Retrieve Embedded Sensitive Data.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.

Explanation of Vulnerability in Simple Terms

02Summary

The vcita Online Booking & Scheduling Calendar plugin for WordPress contains an information disclosure vulnerability in versions up to 4.5.5. An authenticated user with low privileges can access sensitive information through the plugin's functionality. The vulnerability requires a valid WordPress account but no additional user interaction. Site administrators should update the plugin to a version newer than 4.5.5.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the plugin that should not be accessible to their privilege level.

Potential impact on your site

04Site Impact

Users' sensitive data may be exposed to authenticated attackers with basic WordPress accounts.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

April 4, 2025 CVE published
May 12, 2026 Record updated