Vulnerability in WP Timetics Plugin Allows for Account Takeover and Privilege Escalation
CVE-2024-9263

9.8CRITICAL

Key Information:

Vendor

Wordpress
Status
WP Timetics- Ai-powered Appointment Booking Calendar And Online Scheduling Plugin
Vendor
CVE Published:
17 October 2024

What is CVE-2024-9263?

The WP Timetics Appointment Booking Calendar and Online Scheduling Plugin for WordPress has a vulnerability that allows unauthenticated attackers to execute account takeover and privilege escalation through Insecure Direct Object Reference. This issue arises from insufficient validation on a user-controlled key during the save() function, affecting all versions up to and including 1.0.25. Consequently, attackers are able to reset the email addresses and passwords of arbitrary user accounts, giving them unauthorized access to sensitive accounts, including those of administrators.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin * <= 1.0.25

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/timetics/tags/...
https://plugins.trac.wordpress.org/changeset/3169771/time...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wesley
JSON
.