The Scheduler Widget plugin for WordPress, developed by morelmathieuj, suffers from an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key). This vulnerability exists in all versions up to and including 0.1.6 due to the scheduler_widget_ajax_save_event() function failing to perform proper authorization checks and ownership verification when processing event updates. Specifically, the function accepts an 'id' parameter representing the event identifier, but does not verify whether the authenticated user owns or is authorized to modify the event associated with that ID. Consequently, any authenticated user with at least Subscriber-level privileges can modify arbitrary events if they know the event IDs, bypassing intended access controls. The vulnerability is exploitable remotely over the network without requiring user interaction, and the attack complexity is low since only knowledge of event IDs is needed. The CVSS v3.1 base score is 5.4 (medium severity), reflecting the lack of confidentiality impact but partial impact on integrity and availability. No patches or official fixes are currently available, and no public exploits have been reported. This vulnerability highlights the risks of insufficient authorization validation in WordPress plugins that manage user-generated content or scheduling data.

This vulnerability allows unauthorized modification of scheduler events by authenticated users with minimal privileges, potentially leading to data integrity issues such as altered or deleted events. For organizations relying on the Scheduler Widget for critical scheduling or event management, this could disrupt operations, cause misinformation, or enable further attacks leveraging manipulated event data. Although confidentiality is not directly affected, the integrity and availability of scheduling information are compromised, which can impact business continuity and trust in the affected systems. Attackers could exploit this to cause denial of service by corrupting event data or to manipulate scheduled tasks for malicious purposes. Since the vulnerability requires only Subscriber-level access, it broadens the attacker base to include any registered user, increasing the risk in environments with many users or weak user registration controls.

Organizations should immediately audit their WordPress installations to identify the presence of the Scheduler Widget plugin and its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. If removal is not feasible, implement strict access controls to limit Subscriber-level accounts and monitor event modification logs for suspicious activity. Custom code or web application firewall (WAF) rules can be deployed to validate event ownership before allowing updates, effectively adding an authorization layer. Additionally, restrict knowledge of event IDs by obfuscating or randomizing identifiers if possible, reducing the risk of ID enumeration. Regularly update WordPress and plugins once a patch becomes available. Educate users about the risks of sharing event information and enforce strong user registration policies to minimize unauthorized access.