What the vulnerability does
01Description
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.3.
Explanation of Vulnerability in Simple Terms
02Summary
The vcita Online Booking & Scheduling Calendar plugin for WordPress allows authenticated users with high privileges to upload files without proper validation. An attacker with admin or equivalent access can upload malicious files to the server, potentially gaining the ability to run their own code on the site. The vulnerability affects all versions up to 4.5.3.
What an attacker can do
03Attacker Capabilities
Upload malicious files and run their own code on the WordPress site.
Potential impact on your site
04Site Impact
A compromised admin account could lead to full site takeover, data theft, or malware installation.
Conditions required to exploit
05Prerequisites
Attacker must have high-level admin or equivalent privileges on the WordPress site.
Key dates
06Disclosure timeline
August 20, 2025
CVE published
April 28, 2026
Record updated