A missing authorization issue in Arraytics Timetics allows an attacker to exploit incorrectly configured access control security levels. The flaw permits unauthorized users to access functions or features that should be restricted, potentially enabling further exploitation of the WordPress site. The vulnerability directly impacts confidentiality and integrity by allowing users to perform actions beyond their intended permissions.

All installations of the Timetics WordPress plugin from the first released version through version 1.0.29 are affected. The product is supplied by Arraytics under the Timetics identifier. Users should check the plugin version displayed in the WordPress admin interface and consider any deployments that use any version less than or equal to 1.0.29.

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of less than 1% suggests that a mass exploitation is unlikely, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is inferred to be remote, with an attacker calling publicly exposed endpoints of the plugin. Successful exploitation requires the ability to send requests to the plugin’s URLs and would allow an attacker to use functionalities that should be shielded behind authentication or role checks. No evidence of active exploitation is reported at this time.