CVE-2024-11275

MEDIUM

WP Timetics <1.0.27 - Info Disclosure

Title source: llm

Description

The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/timetics/trunk/core/customers/api-customer.php#L308

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3206505%40timetics&new=3206505%40timetics&sfp_email=&sfph_mail=#file199

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d68e250e-d850-4100-81db-3e3c48a3a4a1?source=cve

Scores

CVSS v3 4.3

EPSS 0.0014

EPSS Percentile 33.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (2)

arraytics/Timetics – Appointment Booking & Scheduling < 1.0.27

arraytics/WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin < 1.0.27

Published Dec 13, 2024

Tracked Since Feb 18, 2026