MotoPress Timetable IDOR Leads to Sensitive Info Exposure (CVE-2026-9228)

Vulnerability Overview Vulnerability Name: Timetable and Event Schedule by MotoPress <= 2.4.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Function CVE ID: CVE-2026-9228 CVSS Score: 4.3 (Medium) Publish Date: May 27, 2026 Last Updated Date: May 28, 2026 Researcher: Jack Pan (Dark) - Black Lantern Security Impact Scope Software Type: Plugin Software Name: Timetable and Event Schedule by MotoPress Affected Versions: <= 2.4.16 Fixed Version: 2.4.17 Remediation Remediation Measure: Upgrade to version 2.4.17 or higher. Vulnerability Description This vulnerability allows authenticated attackers (Contributor level and above) to access sensitive information via the function. Attackers can exploit this flaw to enumerate timetable IDs and read complete WordPress post objects, including fields such as , , , and , as well as the raw timetable description belonging to private event posts of other users. Reference Links plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org Additional Information Authorization Bypass via User-Controlled Key: CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Recent Vulnerabilities Timetable and Event Schedule by MotoPress <= 2.4.15 - Insecure Direct Object Reference to Authenticated (Contributor+) Event Disclosure - CVE ID: CVE-2025-12954 - CVSS Score: 5.3 - Researcher: Maksym (B@psd) - Date: November 12, 2025 Timetable and Event Schedule by MotoPress <= 2.4.13 - Authenticated (Admin+) PHP Object Injection - CVE ID: CVE-2024-39630 - CVSS Score: 6.6 - Researcher: Nguyen Phuong Bac - Date: July 22, 2024 Timetable and Event Schedule by MotoPress <= 2.4.11 - Authenticated (Contributor+) SQL Injection - CVE ID: CVE-2024-3342 - CVSS Score: 9.9 - Researcher: Krzysztof Zajac - Date: April 26, 2024 Timetable and Event Schedule by MotoPress <= 2.4.1 - Unauthorised Event TimeSlot Deletion - CVE ID: CVE-2021-24583 - CVSS Score: 4.1 - Researcher: dc11 - Date: August 23, 2021 Timetable and Event Schedule by MotoPress <= 2.4.1 - Unauthorised Event TimeSlot Scripting - CVE ID: CVE-2021-24584 - CVSS Score: 6.4 - Researcher: dc11 - Date: August 23, 2021 Timetable and Event Schedule by MotoPress <= 2.3.18 - Author Stored Cross-Site Scripting - CVE ID: CVE-2021-24724 - CVSS Score: 5.4 - Researcher: Martin Vensla - Date: August 23, 2021 Timetable and Event Schedule by MotoPress <= 2.3.19 - Arbitrary User's Hashed Password/Email/Username Disclosure - CVE ID: CVE-2021-24585 - CVSS Score: 6.5 - Researcher: dc11 - Date: August 23, 2021 Timetable and Event Schedule by MotoPress <= 2.3.8 - Missing Authorization - CVE ID: CVE-2020-36840 - CVSS Score: 7.1 - Researcher: Ram - Date: April 21, 2020 Summary This vulnerability encompasses multiple security issues within the Timetable and Event Schedule by MotoPress plugin, including insecure direct object references, PHP object injection, SQL injection, unauthorized event timeslot deletion and scripting, author stored cross-site scripting, arbitrary user's hashed password/email/username disclosure, and missing authorization. Users are advised to upgrade to the latest version as soon as possible to remediate these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

MotoPress Timetable IDOR Leads to Sensitive Info Exposure (CVE-2026-9228)

More from this source