CVE-2021-24583 Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Deletion

2021-09-2010:06:20

CWE-284

WPScan

www.cve.org

cve-2021-24583

motopress

unauthorised

event

timeslot

deletion

access control

csrf

AI Score

Confidence

High

EPSS

0.001

Percentile

27.4%

JSON

The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capability

CNA Affected

[
  {
    "product": "Timetable and Event Schedule by MotoPress",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "2.4.2",
        "status": "affected",
        "version": "2.4.2",
        "versionType": "custom"
      }
    ]
  }
]