Timetable and Event Schedule by MotoPress Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Timetable and Event Schedule by MotoPress plugin for WordPress, affecting all versions through 2.4.16. The vulnerability arises from missing validation on a user-controlled key in the action_get_event_data function. This flaw enables authenticated attackers with contributor-level access and above to enumerate timeslot IDs and access the complete WP_Post object of draft, pending, and private mp-event posts belonging to other users. The exposed data includes post content, excerpts, status, author information, and raw timeslot descriptions.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive event data, including private and draft posts from other users, potentially leading to further exploitation or information misuse.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level access or higher can send a request to the action_get_event_data endpoint. The request must include a timeslot ID, which can be enumerated due to the lack of proper validation on the user-controlled key. Once the request is processed, the full WP_Post object of the corresponding event, along with the associated timeslot description, will be returned.

Remediation

Users are advised to update the Timetable and Event Schedule by MotoPress plugin to version 2.4.17 or later.