Timetics
Monthly
Cross-Site Scripting in the Timetics WordPress appointment-booking plugin (by Arraytics) affects all versions up to and including 1.0.58, allowing unauthenticated remote attackers to inject script that executes in a victim's browser after the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), a successful injection can affect resources beyond the vulnerable component, such as the browser session of a logged-in administrator. There is no public exploit identified at time of analysis, the CVE is not listed in CISA KEV, and no EPSS score was provided.
Missing authorization in Timetics WordPress plugin through version 1.0.53 allows unauthenticated remote attackers to bypass access controls and access sensitive administrative functions or data. With CVSS 8.2 (High), the vulnerability enables high confidentiality impact and low integrity impact against network-accessible instances. Patchstack reported this broken access control flaw, indicating potential exposure of booking systems, customer data, or administrative operations to unauthorized access without authentication.
Cross-Site Scripting in the Timetics WordPress appointment-booking plugin (by Arraytics) affects all versions up to and including 1.0.58, allowing unauthenticated remote attackers to inject script that executes in a victim's browser after the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), a successful injection can affect resources beyond the vulnerable component, such as the browser session of a logged-in administrator. There is no public exploit identified at time of analysis, the CVE is not listed in CISA KEV, and no EPSS score was provided.
Missing authorization in Timetics WordPress plugin through version 1.0.53 allows unauthenticated remote attackers to bypass access controls and access sensitive administrative functions or data. With CVSS 8.2 (High), the vulnerability enables high confidentiality impact and low integrity impact against network-accessible instances. Patchstack reported this broken access control flaw, indicating potential exposure of booking systems, customer data, or administrative operations to unauthorized access without authentication.