MEDIUM
jetmonsters
CVE published 2026-05-28
CVE-2026-9228
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) in all versions up to and including 2.4.16. The vulnerability exists in the `action_get_event_data` functionality, which fails to validate user-controlled keys. Authenticated attackers with contributor-level access or higher can enumerate timeslot IDs and retrieve complete WP_Post ob [truncated]