PT-2026-8086 · WordPress · Scheduler Widget
Morelmathieuj
·
Publicado
2026-02-14
·
Atualizado
2026-02-14
·
CVE-2026-1987
CVSS v3.1
5.4
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Scheduler Widget versions prior to 0.1.7
Description
The Scheduler Widget plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. The
scheduler widget ajax save event() function does not adequately verify authorization or ownership when updating events. This allows authenticated attackers with Subscriber-level access or higher to modify any event in the scheduler by manipulating the id parameter, provided they know the event ID.Recommendations
Update the Scheduler Widget plugin to version 0.1.7 or later.
Correção
IDOR
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Scheduler Widget