Lucene search

WordfenceVULNRICHMENT:CVE-2024-1094

HistoryJun 14, 2024 - 4:36 a.m.

CVE-2024-1094 Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling Plugin <= 1.0.21 - Missing Authorization to Limited Privilege Escalation

2024-06-1404:36:54

Wordfence

github.com

timetics

appointment booking

authorization

vulnerability

wordpress

calendar scheduling

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.0%

JSON

The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to grant users staff permissions.

CNA Affected

[
  {
    "vendor": "arraytics",
    "product": "WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin",
    "versions": [
      {
        "status": "affected",
        "version": "*",
        "versionType": "semver",
        "lessThanOrEqual": "1.0.21"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/changeset/3101489/timetics/trunk/core/staffs/hooks.php

www.wordfence.com/threat-intel/vulnerabilities/id/76fe8746-582e-49a5-b0c1-19d2aaef44df?source=cve

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for VULNRICHMENT:CVE-2024-1094