CVE-2025-9018
BaseFortify
Publication date: 2025-09-11
Last updated on: 2025-09-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | time_tracker | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WordPress Time Tracker plugin (up to version 3.1.0) is due to missing capability checks on two key functions: 'tt_update_table_function' and 'tt_delete_record_function'. This flaw allows authenticated users with Subscriber-level access or higher to modify plugin options such as user registration and default role. Consequently, an attacker can exploit this to register any user as an Administrator and delete certain data from the database without proper authorization.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized privilege escalation where an attacker can register as an Administrator, gaining full control over the WordPress site. Additionally, attackers can delete limited data from the plugin's database tables, potentially causing data loss or disruption of the Time Tracker plugin's functionality. Overall, it compromises the confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring unauthorized POST requests to the WordPress Time Tracker plugin's AJAX endpoints that invoke the vulnerable functions `tt_update_table_function` and `tt_delete_record_function`. Look for POST requests containing parameters like `table`, `field`, `id`, and `id_field` targeting Time Tracker tables. Additionally, check for suspicious changes to user registration options or default roles that could allow unauthorized administrator creation. Specific commands depend on your environment, but examples include using web server logs or network monitoring tools to filter POST requests to the plugin's AJAX URLs. For example, using grep on access logs: `grep -i 'POST' /var/log/apache2/access.log | grep 'tt_update_table_function'` or similar for `tt_delete_record_function`. Also, monitoring database changes to user roles or registrations can help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WordPress Time Tracker plugin to version 3.2.0 or later, where the vulnerability is fixed by adding proper capability checks and security validations. If updating is not immediately possible, restrict access to the plugin's AJAX functions to users with appropriate capabilities (e.g., editors or administrators) by implementing access control checks. Additionally, ensure that nonce verification is enforced on all AJAX requests to prevent CSRF attacks. Review and harden user registration and default role settings to prevent unauthorized administrator creation. Monitoring and restricting POST requests to the plugin's AJAX endpoints can also help mitigate exploitation. [1, 2, 3]