Unauthorized Data Deletion Vulnerability in WP Timetics
CVE-2024-11275
4.3MEDIUM
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 13 December 2024
What is CVE-2024-11275?
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users.
Affected Version(s)
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin * <= 1.0.27