cbcvebase.
CVE-2024-9263
published 2024-10-17

CVE-2024-9263: The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.15%
62.8th percentile
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible.

Affected

1 ranges
VendorProductVersion rangeFixed in
arrayticstimetics_appointment_booking_scheduling<= 1.0.25
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.