CVE-2021-24584
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
20 Sep 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues
Affected products
Unknown · Timetable and Event Schedule by MotoPressWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →