Cyber Resilience

CVE-2023-2298

High

Published: 03 June 2023

Published
03 June 2023
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0391 88.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2298 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Vcita Online Booking \& Scheduling Calendar. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Online Booking & Scheduling Calendar for WordPress by vcita plugin is affected by a stored cross-site scripting vulnerability (CWE-79) in versions up to and including 4.3.0. The flaw resides in insufficient input sanitization and output escaping of the business_id parameter, allowing malicious payloads to be persisted and later rendered in plugin-generated pages.

Unauthenticated attackers can supply crafted input over the network to inject arbitrary scripts. Because the attack requires no credentials or user interaction and affects the scope of the vulnerable site, successful exploitation can result in limited confidentiality and integrity impacts when any visitor loads an injected page.

Public references point to a fix committed in the plugin's vcita-api-functions.php file, and Wordfence advisory data confirm that updating to a patched release addresses the input-handling weakness. Site administrators should apply the latest plugin version and verify that business_id values are properly escaped on output.

EPSS scores for the CVE rose from a low baseline to a recorded peak of 0.0646 before receding to the current value of 0.0391, indicating a measurable increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'business_id' parameter in versions up to, and including, 4.3.0 due to insufficient input sanitization and output escaping. This makes…

more

it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vcita
online booking \& scheduling calendar
≤ 4.2.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References