PatchSiren cyber security CVE debrief
CVE-2026-9228 jetmonsters CVE debrief
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) in all versions up to and including 2.4.16. The vulnerability exists in the `action_get_event_data` functionality, which fails to validate user-controlled keys. Authenticated attackers with contributor-level access or higher can enumerate timeslot IDs and retrieve complete WP_Post objects—including post_content, post_excerpt, post_status, and post_author—for draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions. The CVSS 3.1 score of 4.3 (MEDIUM) reflects the network attack vector, low attack complexity, required low privileges, and low confidentiality impact. The vulnerability was disclosed on 2026-05-28 and is classified under CWE-639. No known exploitation in ransomware campaigns has been reported.
- Vendor
- jetmonsters
- Product
- Timetable and Event Schedule by MotoPress
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
WordPress site administrators using MotoPress Timetable plugin; security teams monitoring content management platform vulnerabilities; compliance officers concerned with unauthorized data access by internal users
Technical summary
The vulnerability stems from missing authorization checks in the `action_get_event_data` AJAX handler. The plugin retrieves event data based on user-supplied identifiers without verifying ownership or post status visibility permissions. This allows enumeration of sequential or predictable timeslot IDs to extract sensitive post metadata and content that would normally be restricted by WordPress capability checks. The WP_Post object leakage includes draft and private content, creating information disclosure risk for unpublished event materials.
Defensive priority
medium
Recommended defensive actions
- Upgrade Timetable and Event Schedule by MotoPress plugin to version 2.4.17 or later
- Review access logs for unusual `action_get_event_data` AJAX requests from contributor-level accounts
- Audit mp-event posts for unauthorized access indicators
- Implement principle of least privilege by restricting contributor access where unnecessary
- Consider Web Application Firewall rules to validate event data requests
Evidence notes
Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code analysis. Multiple source code references identify the vulnerable code paths in class-core.php, class-hooks.php, class-controller-events.php, and class-events.php. A changeset reference indicates remediation activity.
Official resources
2026-05-28