CVE-2024-1094

2024-06-1405:15:48

[email protected]

web.nvd.nist.gov

timetics

wordpress

cve-2024-1094

data modification

capability check

unauthenticated attackers

staff permissions

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

0.0005 Low

EPSS

Percentile

17.0%

JSON

The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to grant users staff permissions.

Affected configurations

Vulners

Node

arrayticswp_timetics-_ai-powered_appointment_booking_calendar_and_online_scheduling_pluginRange≤1.0.21

CNA Affected

[
  {
    "vendor": "arraytics",
    "product": "WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.0.21",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]