EPSS
Percentile
51.5%
The plugin does not protect the live-site-parse-vcita-callback settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a logged in user with contributor role or higher to click a link.
https://example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success;=true&uid;=a&first;_name=a&last;_name=b&title;=c&confirmation;_token=d&confirmed;=true&engage;_delay=1&implementation;_key=1&email;=a“/>
blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita
plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/trunk/system/parse_vcita_callback.php#L55
plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/system/parse_vcita_callback.php#L55