The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff function in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to grant users staff permissions.




  • timetics ai-powered_appointment_booking_with_visual_seat_plan_and_ultimate_calendar_scheduling 1.0.21


CVSS version: 3.1 Base score: 7.3
Base severity: HIGH Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Exploitability score: 3.9 Impact score: 3.4

Can you explain the CVE description?

This CVE description is for a vulnerability identified as CVE-2024-1094 in the Timetics- AI-powered Appointment Booking plugin for WordPress. The vulnerability exists in all versions up to and including 1.0.21. The issue is caused by a missing capability check on the make_staff function, which allows unauthenticated attackers to modify data and grant users staff permissions. The CVSS score for this vulnerability is 7.3, indicating a high severity level. The exploitability score is 3.9 and the impact score is 3.4. The vulnerability was published on June 14, 2024, and is currently in the EARLY_WARNING status. More information about this vulnerability can be found in the provided URLs.

How can this vulnerability be part of an attack tree?

This vulnerability can be part of an attack tree by allowing unauthenticated attackers to grant users staff permissions, which could lead to unauthorized access to sensitive data or functionalities within the WordPress plugin. Attackers could exploit this vulnerability to gain unauthorized access to appointment booking information, modify bookings, or potentially disrupt the scheduling system. This could result in financial losses, privacy breaches, or reputational damage for the affected organization or individuals using the plugin.

Generated on: 2024-07-01