CVE-2020-36840

Name of the Vulnerable Software and Affected Versions The Timetable and Event Schedule by MotoPress plugin for WordPress versions up to, and including, 2.3.8

Description The issue is related to a missing capability check on the wp ajax route url() function called via a nopriv AJAX action. This allows unauthenticated attackers to call the function and perform various actions, including including random templates and injecting malicious web scripts.

Recommendations For versions up to, and including, 2.3.8, update to the latest release to mitigate risks. As a temporary workaround, consider restricting access to the wp ajax route url() function until a patch is available. Additionally, ensure that all plugins are up-to-date to minimize the risk of exploitation.