Timetics < 1.0.24 – Authorization Bypass | CVE 2024-43923 | Plugin Vulnerabilities

Description

The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized booking in all versions up to, and including, 1.0.23. This is due to the plugin not properly validating if a user is authorized to make a booking. This makes it possible for unauthenticated attackers to book things they shouldn't be able to.

Affects Plugins

Fixed in 1.0.24

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6a75c8b0-fa1a-4032-a6fd-b504f5b05a08

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Manab Jyoti Dowarah

Verified

No

WPVDB ID

3421a0c2-c8a6-451e-840f-37bdff0af4f6

Timeline

Publicly Published

2024-08-26 (about 1 year ago)

Added

2024-09-04 (about 1 year ago)

Last Updated

2024-09-04 (about 1 year ago)

Other

Published

Title

Published

2026-01-02

Title

Overton <= 1.3 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2024-11-25

Title

The Events Calendar < 6.8.2.1 - Unauthenticated Password Protected Event Disclosure

Published

2023-09-22

Title

Pre-Publish Checklist < 1.1.2 - Insecure Direct Object Reference to Arbitrary Post '_ppc_meta_key' Update

Published

2022-08-04

Title

Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR

Published

2024-09-06

Title

ForumWP – Forum & Discussion Board Plugin < 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover