CVE-2020-36840
📋 TL;DR
The Timetable and Event Schedule WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to execute AJAX functions normally restricted to administrators. This affects all WordPress sites using plugin versions 2.3.8 and earlier. Attackers can inject malicious scripts, include arbitrary templates, and perform other unauthorized actions.
💻 Affected Systems
- Timetable and Event Schedule by MotoPress WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through remote code execution, data theft, defacement, or malware injection leading to credential harvesting and lateral movement.
Likely Case
Website defacement, SEO spam injection, malicious redirects, or backdoor installation for persistent access.
If Mitigated
Limited impact if web application firewall blocks malicious requests or if plugin is disabled.
🎯 Exploit Status
Simple HTTP POST request to wp-admin/admin-ajax.php with specific parameters can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.9
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2288592%40mp-timetable&new=2288592%40mp-timetable&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Timetable and Event Schedule by MotoPress'. 4. Click 'Update Now' if available, or download version 2.3.9+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate mp-timetable
Web Application Firewall rule
linuxBlock requests to vulnerable AJAX endpoint
# Example ModSecurity rule: SecRule REQUEST_URI "@contains admin-ajax.php" "id:1001,phase:2,deny,msg:'Blocking MP Timetable exploit'"
🧯 If You Can't Patch
- Disable the Timetable and Event Schedule plugin immediately
- Implement strict WAF rules blocking all requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'route_url'
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Timetable and Event Schedule version. If version ≤2.3.8, you are vulnerable.Check Version:
wp plugin get mp-timetable --field=versionVerify Fix Applied:
Confirm plugin version is 2.3.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=route_url' parameter
- Unusual file modifications in wp-content/plugins/mp-timetable/
Network Indicators:
- HTTP POST to admin-ajax.php with 'action=route_url' from unauthenticated sources
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="route_url" AND user="-"