MotoPress Timetable Plugin Vulnerable to Authorization Bypass
CVE-2020-36840
9.8CRITICAL
Key Information
- Vendor
- Jetmonsters
- Status
- Timetable And Event Schedule By Motopress
- Vendor
- CVE Published:
- 16 October 2024
Summary
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_route_url() function called via a nopriv AJAX action in versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to call that function and perform a wide variety of actions such as including random template, injecting malicious web scripts, and more.
Affected Version(s)
Timetable and Event Schedule by MotoPress <= 2.3.8
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database
Credit
Ramuel Gall