CVE-2021-24584

Name of the Vulnerable Software and Affected Versions Timetable and Event Schedule WordPress plugin versions prior to 2.4.2 Timetable and Event Schedule WordPress plugin versions prior to 2.3.19

Description The issue concerns a lack of proper access control when updating timeslots, allowing any user with the edit posts capability to update arbitrary timeslots from any events. Additionally, there is no CSRF check in place, making it possible to perform such attacks via CSRF against a logged-in user with the required capability. In versions before 2.3.19, the lack of sanitization and escaping in certain fields, such as the description, could also lead to Stored XSS issues.

Recommendations For versions prior to 2.4.2, update to version 2.4.2 or later to resolve the issue. For versions prior to 2.3.19, update to version 2.3.19 or later to address the Stored XSS issues, and then update further to version 2.4.2 or later to fully resolve the access control and CSRF issues.