Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical0
High0
Medium4
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2024-11-21

CVE-2021-24585 - Timetable And Event Schedule Plugin

The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id

PLUGIN Timetable And Event Schedule

CVE-2021-24585

MEDIUM CVSS 6.5 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24584 - Timetable And Event Schedule Plugin

The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues

PLUGIN Timetable And Event Schedule

CVE-2021-24584

MEDIUM CVSS 5.4 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24583 - Timetable And Event Schedule Plugin

The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capability

PLUGIN Timetable And Event Schedule

CVE-2021-24583

MEDIUM CVSS 4.3 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24724 - Timetable And Event Schedule Plugin

The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s

PLUGIN Timetable And Event Schedule

CVE-2021-24724

MEDIUM CVSS 5.4 2021-09-13
Open Full Technical Breakdown
Scroll to top