CVE-2025-54677 is a critical vulnerability classified under CWE-434, which pertains to the unrestricted upload of files with dangerous types within the vcita Online Booking & Scheduling Calendar plugin for WordPress. This vulnerability affects all versions of the plugin up to and including version 4.5.3. The core issue arises because the plugin does not properly restrict or validate the types of files that users can upload. As a result, an attacker with at least high privileges (PR:H) on the WordPress site can upload malicious files, such as web shells or scripts, that can be executed on the server. The vulnerability has a CVSS v3.1 base score of 9.1, indicating a critical severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) reveals that the attack can be performed remotely over the network without user interaction, requires high privileges (such as an authenticated admin or editor), and can lead to complete compromise of confidentiality, integrity, and availability of the affected system. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component, potentially allowing attackers to execute arbitrary code, manipulate data, or disrupt service. No known exploits are currently reported in the wild, and no official patches have been linked yet, though the vulnerability has been publicly disclosed as of August 20, 2025. This vulnerability is particularly dangerous because WordPress plugins are commonly used to extend website functionality, and booking/scheduling plugins often handle sensitive customer data and business operations. Exploitation could allow attackers to upload backdoors, steal sensitive information, deface websites, or disrupt business operations.

For European organizations using the vcita Online Booking & Scheduling Calendar plugin, this vulnerability poses a significant risk. Many small to medium enterprises (SMEs), service providers, and even larger organizations rely on WordPress for their online presence and scheduling needs. Exploitation could lead to unauthorized access to customer data, including personal and payment information, violating GDPR and other data protection regulations. The integrity of booking data could be compromised, leading to operational disruptions and loss of customer trust. Availability could also be impacted if attackers deploy ransomware or other destructive payloads via the uploaded malicious files. Given the critical severity and the potential for complete system compromise, affected organizations could face financial losses, reputational damage, and regulatory penalties. The requirement for high privileges means that insider threats or compromised admin accounts are a key risk vector. Organizations with exposed WordPress admin interfaces or weak internal controls are especially vulnerable.

1. Immediate mitigation should include restricting file upload permissions to only trusted users and roles, and disabling file uploads where not strictly necessary. 2. Implement strict file type validation and sanitization on the server side, ensuring only safe file types (e.g., images, PDFs) are accepted. 3. Monitor and audit user accounts with high privileges to detect any suspicious activity or unauthorized uploads. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block malicious file uploads or web shell signatures. 5. Keep WordPress core, themes, and all plugins up to date; monitor for official patches from vcita and apply them promptly once available. 6. Conduct regular security scans and penetration tests focusing on file upload functionality. 7. Limit exposure of the WordPress admin interface by IP whitelisting or VPN access to reduce the attack surface. 8. Backup website data and configurations regularly to enable quick recovery in case of compromise. 9. Educate administrators on secure handling of plugin configurations and the risks of privilege misuse. These steps go beyond generic advice by focusing on access control, monitoring, and proactive detection tailored to the nature of this vulnerability.