Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Deletion
CVE-2021-24583

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Timetable And Event Schedule By Motopress
Vendor: CVE Published:; 20 September 2021

Summary

The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capability

Affected Version(s)

Timetable and Event Schedule by MotoPress 2.4.2

References

https://wpscan.com/vulnerability/7aec4ef4-db3b-41fb-9177-...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2021
Vulnerability Reserved
Jan 14, 2021

Credit

dc11