CVE-2024-9872 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in the vcita Online Booking & Scheduling Calendar plugin for WordPress. The root cause is a missing capability check in the vcita_save_user_data_callback() function, which is responsible for saving user data. This flaw allows authenticated users with Subscriber-level privileges or higher to inject malicious JavaScript code into the plugin's settings or data fields. Because the vulnerability exists in all versions up to and including 4.5.1, any site running these versions is susceptible. The vulnerability requires the attacker to have at least low-level authenticated access, which is common in WordPress environments where subscribers or similar roles exist. The CVSS 3.1 base score is 5.4 (medium), reflecting that the attack vector is network-based, with low attack complexity, requiring privileges and user interaction, and impacting confidentiality and integrity with a scope change. Exploitation could allow attackers to execute arbitrary scripts in the context of the affected site, potentially leading to session hijacking, data theft, or unauthorized changes to plugin settings. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The vulnerability does not affect availability directly but compromises data integrity and confidentiality, making it a significant risk for organizations relying on this plugin for customer bookings and scheduling.

The vulnerability allows attackers with minimal authenticated privileges to inject malicious scripts, potentially leading to unauthorized access to sensitive user data, session hijacking, or manipulation of booking and scheduling information. This can undermine customer trust, lead to data breaches, and disrupt business operations relying on the plugin. Since the plugin is used to manage online bookings and scheduling, attackers could alter appointment details or steal personal information, impacting both service providers and their clients. The scope of impact is significant for organizations using WordPress sites with this plugin, especially those handling sensitive customer data or financial transactions. The integrity and confidentiality of data are at risk, which could result in regulatory compliance violations and reputational damage. Although no known exploits are currently in the wild, the medium severity score and ease of exploitation by authenticated users make timely mitigation critical to prevent potential attacks.

1. Immediately restrict Subscriber-level and other low-privilege user roles from accessing or modifying vcita plugin settings until a patch is available. 2. Monitor and audit user activities related to the vcita plugin to detect any unauthorized changes or suspicious behavior. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the plugin’s endpoints. 4. Encourage users to upgrade to the latest plugin version once a patch addressing this vulnerability is released by vcita. 5. Limit the number of users with authenticated access to the WordPress backend, especially those with Subscriber or higher roles, to reduce the attack surface. 6. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 7. Regularly review and harden WordPress user role permissions to ensure least privilege principles are enforced. 8. Educate site administrators and users about the risks of XSS and the importance of cautious interaction with plugin settings and user-generated content.