Home

Description

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to enumerate timeslot IDs and read the full WP_Post object — including post_content, post_excerpt, post_status, and post_author — of draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions.

PUBLISHED Reserved 2026-05-21 | Published 2026-05-28 | Updated 2026-05-28 | Assigner Wordfence




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

Any version
affected

Timeline

2026-05-21:Vendor Notified
2026-05-27:Disclosed

Credits

Jack Pas finder

References

www.wordfence.com/...-30ef-4c24-afa6-04248c25bd7f?source=cve

plugins.trac.wordpress.org/.../2.4.16/classes/class-core.php

plugins.trac.wordpress.org/...rs/class-controller-events.php

plugins.trac.wordpress.org/...lasses/models/class-events.php

plugins.trac.wordpress.org/...2.4.16/classes/class-hooks.php

plugins.trac.wordpress.org/...imetable&sfp_email=&sfph_mail=

cve.org (CVE-2026-9228)

nvd.nist.gov (CVE-2026-9228)

Download JSON