Lucene search

WpvulndbWPVDB-ID:CA8CE408-5E4C-4A35-9E30-74F3B706656D

HistoryJun 13, 2024 - 12:00 a.m.

Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling Plugin < 1.0.22 - Missing Authorization to Limited Privilege Escalation

2024-06-1300:00:00

wpscan.com

timetics

appointment booking

visual seat plan

calendar scheduling

wordpress

vulnerability

authorization

privilege escalation

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

6.6

Confidence

High

JSON

Description The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to grant users staff permissions.

References

www.wordfence.com/threat-intel/vulnerabilities/id/76fe8746-582e-49a5-b0c1-19d2aaef44df

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

6.6

Confidence

High

JSON

Related for WPVDB-ID:CA8CE408-5E4C-4A35-9E30-74F3B706656D