cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2020-36840,https://securityvulnerability.io/vulnerability/CVE-2020-36840,MotoPress Timetable Plugin Vulnerable to Authorization Bypass,"The MotoPress Timetable and Event Schedule plugin for WordPress is vulnerable to an authorization bypass due to a missing capability check in the wp_ajax_route_url() function. This flaw occurs when the function is executed via a nopriv AJAX action, allowing unauthenticated attackers to exploit it. Attackers can invoke unauthorized actions, such as including arbitrary templates or injecting harmful web scripts, thereby posing significant security risks to affected WordPress sites.",Wordpress,Timetable And Event Schedule By Motopress,9.8,CRITICAL,0.000910000002477318,false,,false,false,false,,false,false,2024-10-16T07:31:50.702Z,0
CVE-2024-3342,https://securityvulnerability.io/vulnerability/CVE-2024-3342,SQL Injection Vulnerability in MotoPress Timetable Plugin Affects Sensitive Data,"The Timetable and Event Schedule by MotoPress plugin for WordPress is susceptible to SQL Injection through the 'events' attribute of the 'mp-timetable' shortcode. This vulnerability exists in all versions up to and including 2.4.11 due to inadequate escaping of user-supplied parameters and insufficient safeguards in the SQL query construction. Authenticated attackers with contributor-level access can exploit this vulnerability to insert additional SQL queries, potentially leading to the unauthorized extraction of sensitive data from the database.",Wordpress,Timetable And Event Schedule By Motopress,9.9,CRITICAL,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-27T08:37:55.489Z,0
CVE-2021-24585,https://securityvulnerability.io/vulnerability/CVE-2021-24585,Timetable and Event Schedule by MotoPress < 2.4.0 - Arbitrary User's Hashed Password/Email/Username Disclosure,"The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id",Wordpress,Timetable And Event Schedule By Motopress,6.5,MEDIUM,0.0008399999933317304,false,,false,false,false,,false,false,2021-09-20T10:06:23.000Z,0
CVE-2021-24584,https://securityvulnerability.io/vulnerability/CVE-2021-24584,Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update,"The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues",Wordpress,Timetable And Event Schedule By Motopress,5.4,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2021-09-20T10:06:21.000Z,0
CVE-2021-24583,https://securityvulnerability.io/vulnerability/CVE-2021-24583,Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Deletion,"The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capability",Wordpress,Timetable And Event Schedule By Motopress,4.3,MEDIUM,0.000590000010561198,false,,false,false,false,,false,false,2021-09-20T10:06:20.000Z,0
CVE-2021-24724,https://securityvulnerability.io/vulnerability/CVE-2021-24724,Timetable and Event Schedule by MotoPress < 2.3.19 - Author+ Stored Cross-Site Scripting,"The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s",Wordpress,Timetable And Event Schedule By Motopress,5.4,MEDIUM,0.0006500000017695129,false,,false,false,false,,false,false,2021-09-13T17:56:38.000Z,0