Vulnerability Description
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.25/core/customers/c
- https://plugins.trac.wordpress.org/changeset/3169771/timetics/trunk/core/custome
- https://plugins.trac.wordpress.org/changeset/3169771/timetics/trunk/core/custome
- https://www.wordfence.com/threat-intel/vulnerabilities/id/74bd595b-d2fa-4c62-82d
FAQ
What is CVE-2024-9263?
CVE-2024-9263 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference i...
How severe is CVE-2024-9263?
CVE-2024-9263 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-9263?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.