CVE-2025-9018
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2025-09-11

Assigner: Wordfence

Description
The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and including, 3.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update options such as user registration and default role, allowing anyone to register as an Administrator, and to delete limited data from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2025-09-11
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9018
EUVD
EUVD-2025-28894
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress time_tracker *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the WordPress Time Tracker plugin (up to version 3.1.0) is due to missing capability checks on two key functions: 'tt_update_table_function' and 'tt_delete_record_function'. This flaw allows authenticated users with Subscriber-level access or higher to modify plugin options such as user registration and default role. Consequently, an attacker can exploit this to register any user as an Administrator and delete certain data from the database without proper authorization.

Impact Analysis

This vulnerability can have severe impacts including unauthorized privilege escalation where an attacker can register as an Administrator, gaining full control over the WordPress site. Additionally, attackers can delete limited data from the plugin's database tables, potentially causing data loss or disruption of the Time Tracker plugin's functionality. Overall, it compromises the confidentiality, integrity, and availability of the affected system.

Detection Guidance

Detection can focus on monitoring unauthorized POST requests to the WordPress Time Tracker plugin's AJAX endpoints that invoke the vulnerable functions `tt_update_table_function` and `tt_delete_record_function`. Look for POST requests containing parameters like `table`, `field`, `id`, and `id_field` targeting Time Tracker tables. Additionally, check for suspicious changes to user registration options or default roles that could allow unauthorized administrator creation. Specific commands depend on your environment, but examples include using web server logs or network monitoring tools to filter POST requests to the plugin's AJAX URLs. For example, using grep on access logs: `grep -i 'POST' /var/log/apache2/access.log | grep 'tt_update_table_function'` or similar for `tt_delete_record_function`. Also, monitoring database changes to user roles or registrations can help detect exploitation attempts. [1, 3]

Mitigation Strategies

Immediate mitigation steps include updating the WordPress Time Tracker plugin to version 3.2.0 or later, where the vulnerability is fixed by adding proper capability checks and security validations. If updating is not immediately possible, restrict access to the plugin's AJAX functions to users with appropriate capabilities (e.g., editors or administrators) by implementing access control checks. Additionally, ensure that nonce verification is enforced on all AJAX requests to prevent CSRF attacks. Review and harden user registration and default role settings to prevent unauthorized administrator creation. Monitoring and restricting POST requests to the plugin's AJAX endpoints can also help mitigate exploitation. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9018. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart