CVE-2025-12954
📋 TL;DR
This vulnerability in the Timetable and Event Schedule WordPress plugin allows users with Contributor-level permissions to duplicate and view events they shouldn't have access to. It affects WordPress sites using vulnerable versions of the plugin, potentially exposing sensitive event information to unauthorized users.
💻 Affected Systems
- Timetable and Event Schedule by MotoPress WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Contributor-level users could access and duplicate confidential events containing sensitive information like private meeting details, restricted schedules, or proprietary business information.
Likely Case
Contributors accidentally or intentionally viewing events they shouldn't have access to, potentially exposing internal scheduling information or private event details.
If Mitigated
Minimal impact if proper access controls and user role management are already in place, limiting what contributors can see in normal operations.
🎯 Exploit Status
Exploitation requires authenticated access with at least Contributor privileges. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.16
Vendor Advisory: https://wpscan.com/vulnerability/f15dd1ca-aa40-4d3b-9625-e3ace744374d/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Timetable and Event Schedule by MotoPress'
4. Click 'Update Now' if update is available
5. Alternatively, download version 2.4.16+ from WordPress repository
6. Deactivate, delete old version, upload and activate new version
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate motopress-timetable
Restrict Contributor Permissions
allTemporarily remove Contributor role from users or downgrade to Subscriber
wp user set-role <username> subscriber
🧯 If You Can't Patch
- Remove Contributor role from all users who don't absolutely need it
- Implement additional access control layer or disable event duplication feature
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is below 2.4.16, you are vulnerable.Check Version:
wp plugin get motopress-timetable --field=versionVerify Fix Applied:
Confirm plugin version is 2.4.16 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple event duplication attempts by Contributor users
- Unusual event access patterns from non-admin users
Network Indicators:
- POST requests to event duplication endpoints from non-privileged users
SIEM Query:
source="wordpress" AND (event="plugin_action" AND plugin="motopress-timetable" AND action="duplicate") AND user_role="contributor"