WordPress Plugin Vulnerabilities

Timetics < 1.0.30 - Missing Authorization

Description

The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.29. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
timetics
Fixed in 1.0.30

References

CVE
CVE-2025-30828
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4c2ce19e-17b2-4638-9a59-6a6de0370ef8

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Phat RiO - BlueRock
Verified
No
WPVDB ID
c0623f54-bac8-464e-9c0b-f5ccc79dd01d

Timeline

Publicly Published
2025-03-27 (about 1 year ago)
Added
2025-04-02 (about 1 year ago)
Last Updated
2025-04-02 (about 1 year ago)

Other

Published
Title
Published
2024-12-11
Title
AI Post Generator | AutoWriter <= 3.5 - Missing Authorization to Authenticated (Contributor+) Post/Page Deletion
Published
2024-12-18
Title
Instantio < 3.3.8 - Missing Authorization to Unauthenticated Settings Update
Published
2025-03-04
Title
WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import
Published
2024-06-28
Title
Featured Image from URL < 4.8.2 - Missing Authorization
Published
2025-08-27
Title
SUMO Memberships for WooCommerce < 7.8.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion