CVE-2024-9263
Authorization Bypass Through User-Controlled Key (CWE-639)
Published: Oct 17, 2024 / Updated: 34d ago

010

CVSS 9.8EPSS 0.05%Critical

CVE info copied to clipboard

Summary

The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25. The vulnerability is due to missing validation on a user-controlled key in the save() function. This allows unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators.

Impact

This vulnerability can lead to severe consequences: 1. Account Takeover: Attackers can reset emails and passwords of any user account, including administrators. 2. Privilege Escalation: By taking over an administrator account, attackers can gain full control of the WordPress site. 3. Data Breach: With administrative access, attackers can potentially access and exfiltrate sensitive information. 4. Website Compromise: Attackers could modify website content, install malicious plugins, or use the site for further attacks. 5. Reputational Damage: If exploited, it could lead to loss of trust from users and potential legal consequences.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects "all versions up to, and including, 1.0.25" of the WP Timetics plugin, it is likely that a patched version (1.0.26 or later) may be available or in development. Users should check for updates and apply them as soon as they become available.

Mitigation

1. Update the WP Timetics plugin to a version newer than 1.0.25 if available. 2. If an update is not available, consider temporarily disabling the WP Timetics plugin until a patch is released. 3. Implement strong access controls and monitor for suspicious activities, especially those related to user account changes. 4. Use Web Application Firewalls (WAF) to help detect and block potential IDOR attacks. 5. Regularly audit user accounts and permissions, especially for administrative access. 6. Implement multi-factor authentication for all user accounts, especially administrative ones. 7. Keep WordPress core, themes, and all plugins up to date.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9263

Oct 17, 2024 at 4:15 AM

CVSS

A CVSS base score of 9.8 has been assigned.

Oct 17, 2024 at 4:20 AM / nvd

First Article

Feedly found the first article mentioning CVE-2024-9263. See article

Oct 17, 2024 at 4:21 AM / National Vulnerability Database

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 17, 2024 at 4:21 AM

EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 17, 2024 at 10:04 AM

Threat Intelligence Report

CVE-2024-9263 is a critical vulnerability in the WP Timetics plugin for WordPress, with a CVSS score of 9.8, allowing unauthenticated attackers to perform account takeover and privilege escalation due to insecure direct object reference in the save() function. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits, and while a patch is not explicitly mentioned, users are advised to update to a version newer than 1.0.25 or disable the plugin until a fix is available. Mitigations include implementing strong access controls, using Web Application Firewalls, and enabling multi-factor authentication for user accounts. See article

Oct 17, 2024 at 9:48 PM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152322)

Oct 18, 2024 at 7:53 AM