CVE-2024-11275

Name of the Vulnerable Software and Affected Versions WP Timetics - AI-powered Appointment Booking Calendar and Online Scheduling Plugin versions up to, and including, 1.0.27

Description The issue concerns a missing capability check on the "/wp-json/timetics/v1/customers/" REST API endpoint. This allows authenticated attackers with Timetics Customer access and above to delete arbitrary users, resulting in unauthorized loss of data.

Recommendations For versions up to, and including, 1.0.27, update to a version higher than 1.0.27 to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-json/timetics/v1/customers/" endpoint until a patch is available. Restrict Timetics Customer access and above to minimize the risk of exploitation.