MotoPress Timetable Plugin Vulnerable to Authorization Bypass
CVE-2020-36840
9.8CRITICAL
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 16 October 2024
What is CVE-2020-36840?
The MotoPress Timetable and Event Schedule plugin for WordPress is vulnerable to an authorization bypass due to a missing capability check in the wp_ajax_route_url() function. This flaw occurs when the function is executed via a nopriv AJAX action, allowing unauthenticated attackers to exploit it. Attackers can invoke unauthorized actions, such as including arbitrary templates or injecting harmful web scripts, thereby posing significant security risks to affected WordPress sites.
Affected Version(s)
Timetable and Event Schedule by MotoPress * <= 2.3.8