Unauthorized Modification of Data in Timetics Appointment Booking Plugin
CVE-2024-1094

7.3HIGH

Key Information:

Vendor: Wordpress
Status: WP Timetics- Ai-powered Appointment Booking Calendar And Online Scheduling Plugin
Vendor: CVE Published:; 14 June 2024

Summary

The Timetics Appointment Booking plugin for WordPress, designed to facilitate AI-powered reservations and calendar scheduling, exhibits a vulnerability that allows unauthorized data modification. This issue arises from a lack of capability validation in the make_staff() function, present in all versions up to and including 1.0.21. The vulnerability enables unauthenticated attackers to illegitimately assign staff permissions to any user, which may lead to unauthorized access and manipulation of sensitive data within the application. Organizations using this plugin should take immediate action to mitigate potential security risks.

Affected Version(s)

WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin * <= 1.0.21

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3101489/time...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 14, 2024
Vulnerability Reserved
Jan 31, 2024

Credit

Francesco Carlucci