Timetable and Event Schedule by MotoPress < 2.4.16 – Contributor+ Event Disclosure via IDOR | CVE 2025-12954 | Plugin Vulnerabilities

Description

The plugin does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.

Proof of Concept

As a contributor, go to: https://example.com/wp-admin/edit.php?post_type=mp-event

Hover over "duplicate" on: http://example.com/wp-admin/post.php?post=<<POST_ID>>&action=mptt_duplicate_event&_wpnonce=XXXX

Replace "<<POST_ID>" with another valid event ID and you will get a duplicate of that event.

Affects Plugins

Fixed in 2.4.16

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

bRpsd

Submitter

bRpsd

Submitter website

https://www.exploit-db.com/?author=8147

Submitter twitter

NA

Verified

Yes

WPVDB ID

f15dd1ca-aa40-4d3b-9625-e3ace744374d

Timeline

Publicly Published

2025-11-12 (about 1 month ago)

Added

2025-11-12 (about 1 month ago)

Last Updated

2025-11-12 (about 1 month ago)

Other

Published

Title

Published

2025-09-22

Title

Academy LMS < 3.3.5 - Authenticated (Academy Instructor+) Insecure Direct Object Reference

Published

2025-01-06

Title

WP Job Portal – A Complete Recruitment System for Company or Job Board website < 2.2.6- Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2025-12-11

Title

Ultra Addons for Contact Form 7 < 3.5.34 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF

Published

2022-11-14

Title

TeraWallet - For WooCommerce < 1.4.4 - Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR

Published

2025-06-05

Title

Password Policy Manager < 2.0.5 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover