CVE-2026-9228: MotoPress Timetable Plugin IDOR Vulnerability – Unauthorized Draft Post Access
A WordPress plugin called Timetable and Event Schedule by MotoPress has a flaw that allows users with contributor-level access or higher to see confidential information they shouldn't have access to. Specifically, they can view drafts, pending reviews, and private event posts created by other users, including the content, excerpts, and author information. The vulnerability stems from the plugin failing to properly validate user input when retrieving event data, making it possible to directly access posts by guessing or enumerating their IDs.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to enumerate timeslot IDs and read the full WP_Post object — including post_content, post_excerpt, post_status, and post_author — of draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9228 is an Insecure Direct Object Reference (IDOR) vulnerability in the Timetable and Event Schedule by MotoPress plugin affecting all versions through 2.4.16. The flaw exists in the action_get_event_data function, which fails to implement adequate authorization checks on user-controlled key parameters. An authenticated attacker with contributor-level privileges or above can enumerate timeslot IDs and retrieve unserialised WP_Post objects containing sensitive fields (post_content, post_excerpt, post_status, post_author) from draft, pending, and private custom post types (mp-event). The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key).
Business impact
This vulnerability creates a confidential information disclosure risk within WordPress sites using the affected plugin. Content editors, draft posts, and private event schedules can be exposed to users who should not have viewing rights. For organizations using this plugin to manage sensitive event scheduling or content workflows, unauthorized access could compromise editorial control, expose unreleased announcements, or leak internal planning details. The impact is heightened in multi-author environments where role-based content separation is relied upon for governance.
Affected systems
WordPress installations with the Timetable and Event Schedule by MotoPress plugin installed in any version up to and including 2.4.16 are affected. Only sites where one or more users hold contributor-level access or higher (contributors, authors, editors, administrators) can be exploited. Sites without contributors or lower-privileged authors remain unaffected because the vulnerability requires authenticated access at that privilege level or above.
Exploitability
Exploitation requires valid WordPress account credentials with at least contributor-level permissions. No user interaction or special network conditions are required; the attacker can directly invoke the vulnerable action from their authenticated session. The attack is straightforward: an authenticated contributor can call the action_get_event_data function with manipulated parameters to enumerate and retrieve post objects they lack authorization to view. The barrier to exploitation is low for anyone with legitimate site access at contributor tier or above, but external attackers would first need to compromise or create a valid account.
Remediation
Update the Timetable and Event Schedule by MotoPress plugin to a version beyond 2.4.16 that includes proper authorization validation in the action_get_event_data function. Verify against the vendor's official advisory for the specific patched version number. Until patching is possible, restrict contributor-level access to only trusted users and review existing contributor accounts for necessity. Consider implementing additional access controls at the WordPress level or temporarily disabling the plugin if it is not essential.
Patch guidance
Check the MotoPress official plugin repository or vendor advisory for the release notes detailing the security fix. Download and install the latest version of the plugin via the WordPress admin interface or manually. Test in a staging environment first to ensure compatibility with your theme and other plugins. Apply the update during a scheduled maintenance window. After patching, verify via plugin audit logs or site activity that no unauthorized data access occurred during the vulnerability window.
Detection guidance
Review WordPress user access logs and audit plugins for calls to the action_get_event_data function, especially those with unusual or repeated parameter variations. Look for patterns where contributors are accessing post objects that differ from their normal workflow. Check wp-event post metadata and revision histories for unexpected queries. Enable WordPress debugging if needed and monitor for direct function calls within authenticated sessions. A Web Application Firewall (WAF) rule set can flag suspicious requests to the vulnerable action endpoint if parameter patterns suggest enumeration attempts.
Why prioritize this
Although the CVSS score is medium (4.3), this vulnerability warrants prompt attention in environments with multi-user WordPress sites. The barrier to exploitation is low for any authenticated contributor, and the exposure includes sensitive post metadata. Multi-author sites, news organizations, and agencies managing private or draft content should prioritize patching to maintain editorial workflow integrity. Organizations with strict role-based content separation policies should treat this as higher priority than the base score suggests.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects a network-accessible vulnerability with low attack complexity and low privilege requirements (authenticated contributor). The impact is confidentiality loss only (no integrity or availability impact). The score does not fully capture organizational risk in scenarios where draft content, private schedules, or editorial workflows are business-critical, or where multi-author separation is a compliance requirement. Organizations should adjust their internal risk rating based on their reliance on confidentiality of unpublished content and the number of trusted contributors on their sites.
Frequently asked questions
Can someone without a WordPress account exploit this vulnerability?
No. The vulnerability requires valid authentication credentials with at least contributor-level access. External attackers would need to compromise an existing account or successfully create one (if registration is enabled), making it an insider risk or credential-compromise scenario rather than a remote unauthenticated attack.
Does this vulnerability allow attackers to modify or delete posts?
No. The vulnerability is read-only; it allows unauthorized viewing of post metadata and content, but does not include modification or deletion capabilities. Integrity and availability of posts remain unaffected.
What if we use the plugin but have no contributors or lower-privileged users?
Sites where all users are administrators and editors may face lower practical risk, since these roles typically have broader content access anyway. However, review your user base carefully—any contributor-level account is a potential entry point. If you have no contributors, consider whether you need this plugin at all.
Is there a temporary workaround if we cannot patch immediately?
The most effective interim control is to disable the plugin entirely until a patched version is available. If disabling is not an option, restrict contributor-level access to essential, trusted users only and conduct a review of existing contributors. A firewall rule or WordPress security plugin could potentially block direct calls to action_get_event_data, but this is not a substitute for patching.
This analysis is provided for informational purposes to aid security decision-making. The information is current as of the publication date but may change as vendor patches are released or new attack data emerges. Organizations should verify patch availability and compatibility with their specific WordPress environment before deploying updates. This vulnerability analysis does not constitute professional security advice; consult with your security team or a professional advisor for deployment in regulated or mission-critical environments. No exploit code or weaponized proof-of-concept is included in this guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms
- CVE-2026-24756MEDIUMKiteworks IDOR Vulnerability – Unauthorized Data Modification Risk
- CVE-2026-3173MEDIUMWordPress Meta Field Block Insecure Direct Object Reference (IDOR) Vulnerability