CVE-2024-13717
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The vcita plugin for WordPress (≤2.7.1) lacked capability checks in two AJAX functions, letting subscribers toggle widgets without authorization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The vcita plugin for WordPress (≤2.7.1) lacked capability checks in two AJAX functions, letting subscribers toggle widgets without authorization.
Vulnerability
The Contact Form and Calls To Action by vcita plugin for WordPress versions up to and including 2.7.1 fails to perform proper capability checks on the vcita_ajax_toggle_ae and vcita_ajax_toggle_contact AJAX functions. This missing authorization allows any authenticated user, including those with only subscriber-level access, to enable or disable widgets managed by the plugin [1]. The plugin has been closed and removed from the WordPress.org plugin directory as of January 30, 2025 due to a security issue [1].
Exploitation
An attacker needs only a valid WordPress account with subscriber-level privileges or above. No additional permissions or complex conditions are required. By sending crafted AJAX requests to the vulnerable functions, the attacker can toggle the plugin’s widgets on or off without proper authorization checks [1].
Impact
Successful exploitation results in unauthorized modification of widget state — the attacker can enable or disable the plugin's contact form and calls to action widgets. This impacts the integrity of site content and layout, potentially disrupting intended functionality or hiding important elements from visitors. The attacker does not gain elevated privileges or access to sensitive data, but alters the site's appearance and behavior [1].
Mitigation
The plugin has been closed and removed from the official WordPress.org plugin directory as of January 30, 2025, citing a security issue; no patched version was released [1]. Users who have this plugin installed are strongly advised to uninstall it immediately and replace it with an alternative. No workaround is available as the plugin is no longer maintained or distributed [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.7.1
- Range: <=2.7.1
Patches
0lead-capturing-call-to-actions-by-vcitaThis plugin has been removed from the WordPress.org directory on 2025-01-30 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.