Vulnerability Description
The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Motopress | Timetable And Event Schedule | < 2.4.2 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/60eadf75-8298-49de-877e-ce103fc34d58ExploitThird Party Advisory
- https://wpscan.com/vulnerability/60eadf75-8298-49de-877e-ce103fc34d58ExploitThird Party Advisory
FAQ
What is CVE-2021-24584?
CVE-2021-24584 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update a...
How severe is CVE-2021-24584?
CVE-2021-24584 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24584?
Check the references section above for vendor advisories and patch information. Affected products include: Motopress Timetable And Event Schedule.