A critical vulnerability has been identified in the vcita Online Booking & Scheduling Calendar for WordPress plugin, which could allow an unauthenticated attacker to upload malicious files to the server. Successful exploitation of this flaw could lead to a complete compromise of the affected website, potentially resulting in data theft, service disruption, and further network intrusion.

This vulnerability is an "Unrestricted Upload of File with Dangerous Type." The application fails to properly validate the type, content, or extension of files uploaded through its interface. An attacker can exploit this by crafting a malicious file, such as a PHP web shell, and uploading it to the server disguised as a benign file type (e.g., an image). Once the malicious file is on the server, the attacker can navigate to its location via a web browser to execute it, granting them the ability to run arbitrary code with the permissions of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have a severe impact on the business, leading to a full system compromise. Potential consequences include a breach of sensitive customer data (personal information, appointment details), reputational damage from website defacement or service outages, and significant financial costs associated with incident response and recovery. A compromised server could also be used as a pivot point to launch further attacks against other systems within the organization's network.

Immediate Action: Immediately apply the security patches provided by the vendor by updating the vcita Online Booking & Scheduling Calendar plugin and any other affected vcita products to the latest available version. After patching, it is crucial to monitor for any signs of post-remediation exploitation attempts and thoroughly review historical access logs for indicators of compromise.

Proactive Monitoring: Monitor web server access logs for unusual POST requests to file upload endpoints, especially those followed by GET requests to newly created files with executable extensions (e.g., .php, .phtml) in upload directories. Implement file integrity monitoring to detect the creation of unexpected files in web-accessible folders. Monitor for anomalous outbound network traffic from the web server, which could indicate a command-and-control connection.

Compensating Controls: If patching cannot be performed immediately, consider the following controls:

• Implement strict Web Application Firewall (WAF) rules to block the upload of files with dangerous extensions.
• Disable the file upload functionality within the plugin if it is not essential for business operations.
• Ensure the web server is configured to prevent script execution in directories where files are uploaded.

Public Exploit Available: false

Given the critical CVSS score of 9.1, this vulnerability represents a significant and immediate risk to the confidentiality, integrity, and availability of affected systems. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high severity and the ease of exploitation for this class of vulnerability mean that it is a prime target for threat actors. We strongly recommend that all organizations using the affected vcita products prioritize the application of the vendor-supplied patch immediately to prevent potential system compromise.