CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11275 – WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion
https://notcve.org/view.php?id=CVE-2024-11275
12 Dec 2024 — The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users. • https://plugins.trac.wordpress.org/browser/timetics/trunk/core/customers/api-customer.php#L308 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37427 – WordPress Timetics plugin <= 1.0.21 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-37427
01 Nov 2024 — Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through 1.0.21. • https://patchstack.com/database/vulnerability/timetics/wordpress-timetics-plugin-1-0-21-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9263 – WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
https://notcve.org/view.php?id=CVE-2024-9263
16 Oct 2024 — The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possib... • https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.25/core/customers/customer.php#L299 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1094 – Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling Plugin <= 1.0.21 - Missing Authorization to Limited Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-1094
13 Jun 2024 — The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to grant users staff permissions. El complemento Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling para WordPress es vulnerable a mo... • https://plugins.trac.wordpress.org/changeset/3101489/timetics/trunk/core/staffs/hooks.php • CWE-862: Missing Authorization •