CVE-2025-67472 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the vcita Online Booking & Scheduling Calendar plugin for WordPress, affecting versions up to and including 4.5.5. CSRF vulnerabilities allow attackers to induce authenticated users to perform unintended actions on a web application without their consent. In this case, the vulnerability permits an attacker to craft malicious requests that, when executed by a logged-in user, can manipulate booking and scheduling data managed by the plugin. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high severity, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, but requiring user interaction (the victim must visit a malicious site). The impact includes high confidentiality, integrity, and availability consequences, meaning attackers can potentially access sensitive scheduling information, alter or delete bookings, or disrupt service availability. The plugin is widely used by small and medium businesses to manage client appointments, making this vulnerability particularly impactful. Although no known exploits are currently reported in the wild, the ease of exploitation and the critical nature of the data involved necessitate urgent attention. The vulnerability was publicly disclosed on December 9, 2025, by Patchstack, but no official patch links are yet available, indicating that users must monitor for updates and apply them promptly once released.

For European organizations, especially those in service industries relying on online booking systems, this vulnerability poses significant risks. Exploitation could lead to unauthorized access to client appointment data, manipulation or deletion of bookings, and potential denial of service by disrupting scheduling operations. This can result in loss of customer trust, financial losses due to disrupted services, and potential regulatory penalties under GDPR for mishandling personal data. The confidentiality breach could expose sensitive client information, while integrity and availability impacts could disrupt business continuity. Since the plugin is integrated into WordPress sites, which are prevalent across Europe, the attack surface is considerable. Organizations with high customer interaction through online scheduling, such as healthcare providers, legal services, and consultancy firms, are particularly vulnerable. The lack of required privileges for exploitation increases the threat level, as attackers do not need to compromise user credentials beforehand.

1. Monitor the vcita plugin official channels and trusted vulnerability databases for the release of a security patch addressing CVE-2025-67472 and apply it immediately upon availability. 2. Until a patch is released, implement web application firewall (WAF) rules to detect and block suspicious CSRF attack patterns targeting the plugin endpoints. 3. Enforce strict Content Security Policy (CSP) headers and SameSite cookie attributes to reduce the risk of CSRF exploitation. 4. Limit administrative and user privileges within WordPress to the minimum necessary to reduce the impact of potential attacks. 5. Educate users and administrators about the risks of clicking on untrusted links while authenticated to the WordPress backend. 6. Regularly audit and monitor logs for unusual activity related to booking and scheduling operations. 7. Consider temporarily disabling the plugin if the risk outweighs operational necessity until a patch is available. 8. Employ multi-factor authentication (MFA) for WordPress administrative accounts to add an additional security layer.