MotoPress Timetable Plugin Vulnerable to Authorization Bypass
CVE-2020-36840

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Timetable And Event Schedule By Motopress
Vendor: CVE Published:; 16 October 2024

Summary

The MotoPress Timetable and Event Schedule plugin for WordPress is vulnerable to an authorization bypass due to a missing capability check in the wp_ajax_route_url() function. This flaw occurs when the function is executed via a nopriv AJAX action, allowing unauthenticated attackers to exploit it. Attackers can invoke unauthorized actions, such as including arbitrary templates or injecting harmful web scripts, thereby posing significant security risks to affected WordPress sites.

Affected Version(s)

Timetable and Event Schedule by MotoPress * <= 2.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

Ramuel Gall