Timetable and Event Schedule by MotoPress < 2.4.16 – Contributor+ Event Disclosure via IDOR | CVE 2025-12954 | Plugin Vulnerabilities

Description

The plugin does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.

Proof of Concept

As a contributor, go to: https://example.com/wp-admin/edit.php?post_type=mp-event

Hover over "duplicate" on: http://example.com/wp-admin/post.php?post=<<POST_ID>>&action=mptt_duplicate_event&_wpnonce=XXXX

Replace "<<POST_ID>" with another valid event ID and you will get a duplicate of that event.

Affects Plugins

Fixed in 2.4.16

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

bRpsd

Submitter

bRpsd

Submitter website

https://www.exploit-db.com/?author=8147

Submitter twitter

NA

Verified

Yes

WPVDB ID

f15dd1ca-aa40-4d3b-9625-e3ace744374d

Timeline

Publicly Published

2025-11-12 (about 1 month ago)

Added

2025-11-12 (about 1 month ago)

Last Updated

2025-11-12 (about 1 month ago)

Other

Published

Title

Published

2024-03-29

Title

Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2025-05-06

Title

WPshop 2 – E-Commerce 2.0.0 - 2.6.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Key Generation

Published

2024-07-09

Title

Paid Memberships Pro - Membership Maps Add On < 0.7 - Contributor+ Sensitive Information Disclosure

Published

2025-02-23

Title

Amelia < 1.2.17 - Unauthenticated Insecure Direct Object Reference

Published

2025-12-03

Title

HUSKY – Products Filter Professional for WooCommerce < 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'