MotoPress Timetable Plugin Vulnerable to Authorization Bypass

CVE-2020-36840

9.8CRITICAL

Key Information

Vendor: Jetmonsters
Status: Timetable And Event Schedule By Motopress
Vendor: CVE Published:; 16 October 2024

Summary

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_route_url() function called via a nopriv AJAX action in versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to call that function and perform a wide variety of actions such as including random template, injecting malicious web scripts, and more.

Affected Version(s)

Timetable and Event Schedule by MotoPress <= 2.3.8

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Oct 16, 2024
Vulnerability Reserved.
Oct 15, 2024
Disclosed
Apr 21, 2020

Collectors

NVD DatabaseMitre Database

Credit

Ramuel Gall