WordPress Plugin Vulnerabilities

Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling Plugin < 1.0.22 - Missing Authorization to Limited Privilege Escalation

Description

The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to grant users staff permissions. CVE-2024-37427 is likely a duplicate of this issue.

Affects Plugins

Plugin icon
timetics
Fixed in 1.0.22

References

CVE
CVE-2024-1094
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/76fe8746-582e-49a5-b0c1-19d2aaef44df

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.3 (high)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
ca8ce408-5e4c-4a35-9e30-74f3b706656d

Timeline

Publicly Published
2024-06-13 (about 1 year ago)
Added
2024-06-13 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2025-03-11
Title
SecuPress Free < 2.3 - Missing Authorization
Published
2025-08-27
Title
Uncanny Automator < 6.8.0 - Missing Authorization
Published
2026-02-18
Title
Simple Membership < 4.7.1 - Unauthenticated Improper Handling of Missing Values
Published
2024-06-20
Title
ConvertKit < 2.4.9.1 - Missing Authorization
Published
2025-09-16
Title
Wide Banner <= 1.0.4 - Missing Authorization