The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users.
Metrics
Affected Vendors & Products
References
History
Fri, 13 Dec 2024 22:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 13 Dec 2024 08:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users. | |
Title | WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion | |
Weaknesses | CWE-639 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-12-13T08:24:52.066Z
Updated: 2024-12-13T21:15:20.452Z
Reserved: 2024-11-15T18:38:25.634Z
Link: CVE-2024-11275
Vulnrichment
Updated: 2024-12-13T21:15:03.804Z
NVD
Status : Received
Published: 2024-12-13T09:15:04.887
Modified: 2024-12-13T09:15:04.887
Link: CVE-2024-11275
Redhat
No data.