CVE-2024-11275: Unauthorized Data Deletion in WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin for WordPress

A vulnerability has been discovered in WP Timetics, an AI-powered appointment booking calendar and online scheduling plugin for WordPress that enables websites to manage appointments efficiently. This issue affects all versions of the plugin up to, and including, 1..27. Authenticated attackers with Timetics Customer access and above can exploit this vulnerability to delete arbitrary users, leading to unauthorized loss of data.

Exploit Details

The vulnerability, tracked as CVE-2024-11275, arises due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint. This missing capability check allows attackers with a certain level of access to make unauthorized changes. In this case, authenticated attackers with Timetics Customer access can bypass the expected security controls and delete user data without proper authorization.

To carry out an attack, the malicious individual would need to send a carefully crafted HTTP request to the REST API endpoint, as shown in the following code snippet:

DELETE /wp-json/timetics/v1/customers/{user_id} HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/json
Authorization: Bearer {access_token}

This code snippet demonstrates what the attacker's query to delete a user would look like. Here, {user_id} refers to the user's identification number that the attacker wants to delete, and {access_token} is a valid token the attacker must acquire to prove their Timetics Customer access.

References

For more information on the WP Timetics Plugin vulnerability, you can refer to the following resources:

1. Official WP Timetics Plugin Website
2. CVE-2024-11275 Database Entry

Mitigation

The plugin developers have issued a patch in version 1..28, which addresses this vulnerability by incorporating the missing capability check. It is highly recommended that all users of the WP Timetics Plugin update immediately to the latest version available and ensure their WordPress installations are secure.

For users who cannot update the plugin immediately, you can mitigate the issue by doing the following:

1. Restricting access to the /wp-json/timetics/v1/customers/ endpoint by using web server configurations, such as .htaccess rules in an Apache server, or blocking this specific path in an Nginx server.
2. Limiting the access privileges of Timetics Customer accounts to reduce the risk of unauthorized access.

Conclusion

This post addressed the CVE-2024-11275 vulnerability present in all versions of the WP Timetics Plugin up to, and including, 1..27, which allows authenticated attackers with Timetics Customer access to delete arbitrary users. Patches are available in version 1..28, making it crucial for users to update their plugin as soon as possible. By keeping the plugin updated and following recommended security practices, users can minimize the risk of unauthorized data loss.

Timeline

Published on: 12/13/2024 09:15:04 UTC