vulnerability
WordPress Plugin: mp-timetable: CVE-2021-24584: Improper Access Control
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:N/AC:M/Au:S/C:N/I:P/A:N) | Aug 23, 2021 | May 15, 2025 | Apr 30, 2026 |
Severity
3
CVSS
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
Published
Aug 23, 2021
Added
May 15, 2025
Modified
Apr 30, 2026
Description
The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues
Solution
mp-timetable-plugin-cve-2021-24584
References
- https://www.cve.org/CVERecord?id=CVE-2021-24584
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ab8ce4cf-9085-49d2-a889-9d53272032c1?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-11496
- CVE-2021-24584
- https://attackerkb.com/topics/CVE-2021-24584
- CWE-352
- CWE-79
- EUVD-EUVD-2021-11496
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.