CVE-2021-24585

Name of the Vulnerable Software and Affected Versions The Timetable and Event Schedule WordPress plugin versions prior to 2.4.0

Description The issue allows low-privilege users with the edit posts capability to retrieve sensitive user data, including hashed passwords, usernames, and email addresses, by requesting event Timeslot data and iterating over the user id. This can be combined with another issue where an arbitrary user ID can be set, potentially allowing unauthorized access to sensitive information.

Recommendations For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue. As a temporary workaround, consider restricting the edit posts capability to high-privilege users until the update is applied. Restrict access to the event Timeslot data to minimize the risk of exploitation.