CVE-2025-67559 identifies a missing authorization vulnerability in the vcita Online Booking & Scheduling Calendar plugin for WordPress, affecting versions up to and including 4.5.5. The vulnerability arises from incorrectly configured access control security levels within the plugin, which allow unauthorized users to perform actions that should be restricted. This type of flaw typically means that certain API endpoints or administrative functions do not properly verify whether the requesting user has the necessary permissions, potentially enabling attackers to access or manipulate booking schedules, client data, or other sensitive information managed by the plugin. The vulnerability was published on December 9, 2025, and no CVSS score has been assigned yet. No known exploits are currently reported in the wild, but the risk remains significant due to the nature of the missing authorization. The plugin is widely used by small and medium businesses to manage appointments and client interactions on WordPress sites, making it a valuable target for attackers seeking to disrupt business operations or steal sensitive customer data. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by unauthenticated attackers, increasing the threat level. The absence of a patch link indicates that a fix may not yet be available, emphasizing the need for immediate attention from affected organizations.

For European organizations, this vulnerability could lead to unauthorized access to booking and scheduling data, potentially exposing sensitive client information and disrupting business operations. The integrity of appointment schedules could be compromised, leading to denial of service or reputational damage. Confidentiality breaches may result in GDPR compliance issues, attracting regulatory penalties and loss of customer trust. Organizations relying on vcita for client management, especially in sectors like healthcare, legal, or consultancy services, could face operational disruptions. The ease of exploitation without authentication increases the risk of automated attacks targeting vulnerable WordPress sites across Europe. Additionally, since WordPress powers a significant portion of websites in Europe, and vcita is popular among SMEs, the scope of affected systems is considerable. The vulnerability could also be leveraged as a foothold for further attacks within compromised networks.

Organizations should immediately audit their WordPress installations to identify the use of the vcita Online Booking & Scheduling Calendar plugin and verify the version in use. Until an official patch is released, restrict access to the plugin’s administrative interfaces by IP whitelisting or VPN access to limit exposure. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting vcita plugin endpoints. Review and tighten WordPress user roles and permissions to minimize the risk of privilege escalation. Monitor logs for unusual activity related to booking or scheduling functions. Engage with the vendor for timely updates and apply patches as soon as they become available. Consider temporary disabling the plugin if business operations allow, to prevent exploitation. Educate staff on the risks and ensure backups of booking data are maintained to enable recovery in case of compromise.