Medium severity4.3NVD Advisory· Published May 28, 2026· Updated May 28, 2026
CVE-2026-9228
CVE-2026-9228
Description
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to enumerate timeslot IDs and read the full WP_Post object — including post_content, post_excerpt, post_status, and post_author — of draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=2.4.16+ 1 more
- (no CPE)range: <=2.4.16
- (no CPE)range: <=2.4.16
Patches
Vulnerability mechanics
References
6- plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/class-core.phpnvd
- plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/class-hooks.phpnvd
- plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/controllers/class-controller-events.phpnvd
- plugins.trac.wordpress.org/browser/mp-timetable/tags/2.4.16/classes/models/class-events.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9adf94ac-30ef-4c24-afa6-04248c25bd7fnvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026