WordPress Time Capsule Plugin 1.21.16 has an authentication bypass flaw that lets an unauthenticated attacker obtain a valid administrator session cookie. By sending a crafted POST request that includes the IWP_JSON_PREFIX HTTP header, the plugin incorrectly authenticates the request and issues an admin cookie. Possession of the cookie grants full control over the WordPress dashboard, allowing content modification, plugin installation, or site configuration changes. The weakness is identified as CWE‑288: the software fails to properly authenticate a user. The flaw resides in the plugin’s handling of JSON‑formatted requests and can be triggered without any prior knowledge of valid credentials. The CVSS score of 8.7 places the issue in the high severity range. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating no documented widespread exploitation to date. The attacker can trigger the flaw remotely over HTTP by specifying the IWP_JSON_PREFIX header in a POST request, with no user interaction required. The combination of a high impact, a simple attack vector, and the lack of a publicly available exploit makes the risk significant for any vulnerable site.

Any WordPress site that has the Time Capsule Plugin installed at version 1.21.16 or earlier is impacted. Sites that have upgraded past that version are not affected unless older code remains in place.

The flaw can be leveraged over the internet or an internal network by sending a specially formatted POST request to the plugin’s JSON endpoint. No authentication or prior access is required, and the response provides a fully privileged session. Because the attack vector is simple, the high CVSS score, and the lack of a KEV listing, the overall risk is high for sites that remain on the vulnerable version.