QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2021-24585

Back to search

CVE-2021-24585

Published: Sep 20, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id

VendorProductVersions

Unknown

Timetable and Event Schedule by MotoPress

affected
2.4.0 - < 2.4.0

Weaknesses (CWE)

CWE-200

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now