CVE-2020-36840
Timetable and Event Schedule by MotoPress <= 2.3.8 - Missing Authorization
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_route_url() function called via a nopriv AJAX action in versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to call that function and perform a wide variety of actions such as including random template, injecting malicious web scripts, and more.
El complemento Timetable and Event Schedule de MotoPress para WordPress es vulnerable a la omisión de autorización debido a una verificación de capacidad faltante en la función wp_ajax_route_url() llamada a través de una acción AJAX nopriv en versiones hasta la 2.3.8 incluida. Esto hace posible que atacantes no autenticados llamen a esa función y realicen una amplia variedad de acciones, como incluir una plantilla aleatoria, inyectar scripts web maliciosos y más.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2020-04-21 CVE Published
- 2024-10-15 CVE Reserved
- 2024-10-16 CVE Updated
- 2024-10-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-862: Missing Authorization
CAPEC
References (2)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Jetmonsters Search vendor "Jetmonsters" | Timetable And Event Schedule Search vendor "Jetmonsters" for product "Timetable And Event Schedule" | <= 2.3.8 Search vendor "Jetmonsters" for product "Timetable And Event Schedule" and version " <= 2.3.8" | en |
Affected
| ||||||