Vulnerability Description
The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to grant users staff permissions. CVE-2024-37427 is likely a duplicate of this issue.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/3101489/timetics/trunk/core/staffs/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/76fe8746-582e-49a5-b0c
- https://plugins.trac.wordpress.org/changeset/3101489/timetics/trunk/core/staffs/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/76fe8746-582e-49a5-b0c
FAQ
What is CVE-2024-1094?
CVE-2024-1094 is a vulnerability with a CVSS score of 7.3 (HIGH). The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability ...
How severe is CVE-2024-1094?
CVE-2024-1094 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-1094?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.