CVE-2026-9228
Description
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to enumerate timeslot IDs and read the full WP_Post object — including post_content, post_excerpt, post_status, and post_author — of draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IDOR in MotoPress Timetable plugin ≤2.4.16 allows authenticated attackers to read draft/pending/private mp-event posts of other users via action_get_event_data.
Vulnerability
The Timetable and Event Schedule by MotoPress plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in the action_get_event_data AJAX handler, located in class-controller-events.php [4]. This handler calls the get_event_data method on the Events model, passing a user-supplied id parameter without verifying the ownership or publication status of the requested event [1]. The get_event_data method uses the id field to query the mp_timetable_data table and returns the associated WP_Post object, including post_content, post_excerpt, post_status, and post_author fields, for any mp-event post regardless of its visibility (draft, pending, or private). The vulnerability affects all versions up to and including 2.4.16 [1][4].
Exploitation
An attacker must be authenticated with at least contributor-level access, which grants the edit_posts capability [4]. The attacker can send a crafted POST request to admin-ajax.php with the action parameter set to action_get_event_data and a numeric id value representing a timeslot ID. Since the id parameter is validated only as an integer but not against the current user's permissions or the event's visibility, the attacker can enumerate timeslot IDs (e.g., by iterating integers or leveraging other informational endpoints) and receive the full event data for any mp-event post, including those belonging to other users. No additional privileges or user interaction is required beyond authentication [4].
Impact
Successful exploitation allows the attacker to read the complete WP_Post object of draft, pending, and private mp-event posts authored by other users. This includes the post content, excerpt, status, and author ID, as well as the associated raw timeslot descriptions. The vulnerability leads to unauthorized information disclosure of unpublished or private content, potentially exposing sensitive scheduling details or other confidential information stored within event posts [1][4].
Mitigation
As of the publication of this CVE, no patched version has been announced in the available references. The vendor is expected to release a fix in a future update (e.g., 2.4.17 or later) that adds proper authorization checks, such as verifying current_user_can('edit_post', $event_id) before returning data. Until a patch is available, site administrators should limit contributor-level access to trusted users, consider using a Web Application Firewall to block suspicious AJAX requests, and monitor the plugin's update page for a security release.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.4.16+ 1 more
- (no CPE)range: <=2.4.16
- (no CPE)range: <=2.4.16
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization validation on a user-controlled event ID in the action_get_event_data AJAX handler allows reading arbitrary WP_Post objects of mp-event posts regardless of ownership or post status."
Attack vector
An authenticated attacker with at least contributor-level access sends a crafted AJAX request to `admin-ajax.php` with the `action` parameter set to the plugin's route handler, `controller` set to `event`, and `mptt_action` set to `get_event_data`, along with a numeric event ID. The plugin checks only that the user has the `edit_posts` capability (which contributors possess) but does not verify that the requested event belongs to the current user or that its post status (e.g., draft, pending, private) permits reading. This allows the attacker to enumerate timeslot IDs and read the full `WP_Post` object — including `post_content`, `post_excerpt`, `post_status`, and `post_author` — of any `mp-event` post, including unpublished or private events belonging to other users, along with associated raw timeslot descriptions [ref_id=1].
Affected code
The vulnerability resides in the `action_get_event_data` AJAX handler within the Timetable and Event Schedule by MotoPress plugin. The code path is triggered via the `wp_ajax_route_url` method in `class-core.php` (around line 311 of version 2.4.16), which routes requests to a controller action based on user-supplied `mptt_action` and `controller` parameters. The `action_get_event_data` function lacks authorization checks on a user-controlled key (the event/timeslot ID), allowing any authenticated user with `edit_posts` capability to retrieve full WP_Post objects of any `mp-event` post, regardless of ownership or post status.
What the fix does
The advisory does not include a published patch; however, the remediation would require adding an authorization check inside `action_get_event_data` to verify that the requesting user either owns the requested `mp-event` post or has the appropriate capability (e.g., `edit_others_posts`) to view other users' unpublished content. Additionally, the handler should validate that the requested post's status is publicly viewable before returning its full object data. Without such checks, any authenticated user with `edit_posts` can bypass intended access controls and leak sensitive post data [ref_id=1].
Preconditions
- authAttacker must have an authenticated WordPress account with at least contributor-level access (edit_posts capability).
- configThe Timetable and Event Schedule by MotoPress plugin must be installed and active, version <= 2.4.16.
- inputThe target site must have at least one mp-event post in draft, pending, or private status belonging to another user.
- inputAttacker must know or be able to enumerate valid timeslot/event IDs.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/class-core.phpnvd
- plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/class-hooks.phpnvd
- plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/controllers/class-controller-events.phpnvd
- plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/models/class-events.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9adf94ac-30ef-4c24-afa6-04248c25bd7fnvd
News mentions
0No linked articles in our index yet.