CVE-2025-54677 CRITICAL

CVE-2025-54677: WordPress Online Booking & Scheduling Calendar for WordPress by vcita Plugin <= 4.5.3 - Arbitrary File Upload Vulnerability

Vendor Vcita
Product Online Booking & Scheduling Calendar for WordPress by vcita
Weakness CWE-434 · Unrestricted file upload
Published August 20, 2025
Last update April 28, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Using Malicious Files.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.3.

Explanation of Vulnerability in Simple Terms

02Summary

The vcita Online Booking & Scheduling Calendar plugin for WordPress allows authenticated users with high privileges to upload files without proper validation. An attacker with admin or equivalent access can upload malicious files to the server, potentially gaining the ability to run their own code on the site. The vulnerability affects all versions up to 4.5.3.

What an attacker can do

03Attacker Capabilities

Upload malicious files and run their own code on the WordPress site.

Potential impact on your site

04Site Impact

A compromised admin account could lead to full site takeover, data theft, or malware installation.

Conditions required to exploit

05Prerequisites

Attacker must have high-level admin or equivalent privileges on the WordPress site.

Key dates

06Disclosure timeline

August 20, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE