fkie_cve-2024-11275
Vulnerability from fkie_nvd
Published
2024-12-13 09:15
Modified
2024-12-13 09:15
Severity ?
Summary
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users."
},
{
"lang": "es",
"value": "El complemento WP Timetics - AI-powered Appointment Booking Calendar and Online Scheduling Plugin para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a una verificaci\u00f3n de capacidad faltante en el endpoint de la API REST /wp-json/timetics/v1/customers/ en todas las versiones hasta la 1.0.27 incluida. Esto permite que atacantes autenticados, con acceso de cliente de Timetics y superior, eliminen usuarios arbitrarios."
}
],
"id": "CVE-2024-11275",
"lastModified": "2024-12-13T09:15:04.887",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2024-12-13T09:15:04.887",
"references": [
{
"source": "security@wordfence.com",
"url": "https://plugins.trac.wordpress.org/browser/timetics/trunk/core/customers/api-customer.php#L308"
},
{
"source": "security@wordfence.com",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3206505%40timetics\u0026new=3206505%40timetics\u0026sfp_email=\u0026sfph_mail=#file199"
},
{
"source": "security@wordfence.com",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d68e250e-d850-4100-81db-3e3c48a3a4a1?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security@wordfence.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…