CVE-2025-12954 PUBLISHED

Timetable and Event Schedule by MotoPress < 2.4.16 - Contributor+ Event Disclosure via IDOR

Assigner: WPScan
Reserved: 10.11.2025 Published: 03.12.2025 Updated: 03.12.2025

The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.

Product Status

Vendor	Unknown
Product	Timetable and Event Schedule by MotoPress
Versions	Default: unaffected affected from 0 to 2.4.16 (excl.)

Credits

bRpsd finder
WPScan coordinator

References

https://wpscan.com/vulnerability/f15dd1ca-aa40-4d3b-9625-e3ace744374d/

Problem Types

CWE-639 Authorization Bypass Through User-Controlled Key CWE