CVE-2024-1094 Overview
CVE-2024-1094 is a missing authorization vulnerability in the Timetics AI-powered Appointment Booking plugin for WordPress. The flaw exists in the make_staff() function, which lacks a capability check in all versions up to and including 1.0.21. Unauthenticated attackers can exploit this issue over the network to grant arbitrary users staff permissions within the WordPress installation. The vulnerability is tracked under [CWE-862] (Missing Authorization) and is likely a duplicate of CVE-2024-37427.
Critical Impact
Unauthenticated attackers can elevate arbitrary user accounts to staff-level privileges, enabling unauthorized data modification within affected WordPress sites.
Affected Products
- Timetics AI-powered Appointment Booking with Visual Seat Plan plugin for WordPress
- All plugin versions up to and including 1.0.21
- WordPress sites with the vulnerable plugin installed and activated
Discovery Timeline
- 2024-06-14 - CVE-2024-1094 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-1094
Vulnerability Analysis
The vulnerability resides in the make_staff() function within the Timetics plugin's staff management module. This function is intended to assign staff-level capabilities to WordPress users for appointment booking workflows. The function is exposed without a corresponding permission check, allowing any unauthenticated HTTP request to invoke it. An attacker who promotes themselves or another account to staff status can modify appointment data, access protected scheduling endpoints, and pivot to further actions reserved for authorized personnel.
Root Cause
The root cause is a missing capability check in the make_staff() function registered in core/staffs/hooks.php. The function does not call current_user_can() or any equivalent authorization gate before executing privileged operations. As a result, the endpoint trusts the request without validating the requester's role. The patched changeset on the WordPress plugin repository adds the missing capability verification before allowing the staff assignment to proceed.
Attack Vector
Exploitation requires no authentication, no user interaction, and only network access to the target WordPress site. An attacker sends a crafted HTTP request to the unprotected REST endpoint that invokes make_staff(). The endpoint accepts the request and elevates the targeted user account to staff permissions. No special tooling is required beyond standard HTTP clients. See the Wordfence Vulnerability Report and the WordPress Plugin Change Log for technical details of the unprotected handler and the corresponding fix.
Detection Methods for CVE-2024-1094
Indicators of Compromise
- Unexpected WordPress user accounts holding Timetics staff role assignments
- HTTP POST requests to Timetics REST API endpoints invoking staff creation from unauthenticated sessions
- Modifications to the wp_usermeta table containing Timetics staff capability entries without an administrator audit trail
- New appointment or scheduling records created by recently promoted staff accounts
Detection Strategies
- Review WordPress audit logs for calls to the Timetics REST routes that invoke make_staff() originating from unauthenticated or low-privilege sessions.
- Compare the current list of users with staff permissions against the last known administrator-approved baseline.
- Inspect web server access logs for POST requests targeting /wp-json/timetics/ paths followed by unexpected role changes.
Monitoring Recommendations
- Enable a WordPress activity logging plugin to capture role and capability assignments in real time.
- Forward web server and WordPress audit logs to a centralized SIEM for correlation with user privilege changes.
- Alert on any anonymous HTTP requests that result in user metadata modifications related to staff roles.
How to Mitigate CVE-2024-1094
Immediate Actions Required
- Update the Timetics plugin to a version later than 1.0.21 that contains the capability check fix.
- Audit all WordPress accounts and revoke staff permissions that were not assigned by an administrator.
- Rotate credentials for any accounts that were elevated without authorization and review their recent activity.
Patch Information
The vendor addressed the vulnerability by adding a capability check to the make_staff() function. The fix is documented in the WordPress Plugin Change Log. Site administrators should upgrade to a patched release through the WordPress plugin updater immediately.
Workarounds
- Deactivate and remove the Timetics plugin until the patched version can be applied.
- Restrict access to the /wp-json/timetics/ REST routes at the web application firewall layer for unauthenticated requests.
- Apply a virtual patch in your WAF that blocks invocation of the make_staff endpoint from sessions lacking an administrator-level authentication cookie.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

