What the vulnerability does
01Description
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to enumerate timeslot IDs and read the full WP_Post object — including post_content, post_excerpt, post_status, and post_author — of draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions.
Explanation of Vulnerability in Simple Terms
02Summary
Timetable and Event Schedule by MotoPress versions up to 2.4.16 contain an authorization flaw that allows authenticated users to access sensitive information they should not be able to view. The vulnerability requires a valid user account and network access but does not require user interaction. Site administrators should update to a version newer than 2.4.16 to remediate this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive information accessible only to higher-privileged users.
Potential impact on your site
04Site Impact
Authenticated users can view data they should not have access to, risking exposure of private event or schedule information.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account on the site.
Key dates
06Disclosure timeline
May 28, 2026
CVE published
May 28, 2026
Record updated