Description
The wp Time Machine plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.0. This is due to missing or incorrect nonce validation on the 'wpTimeMachineCore.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-04-02
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Immediate Patch
AI Analysis

Impact

The wp Time Machine plugin for WordPress has a flaw that allows attackers to trick administrators into submitting forged requests because the core administration page does not verify the nonce correctly. The missing nonce validation permits an unauthenticated CSRF attack that can alter the plugin’s settings and inject malicious scripts into the site’s options table. Once the attacker’s script is stored, it runs in the context of any visitor or administrator, resulting in the potential to steal credentials, deface the site, or serve malware. This vulnerability is classified as a stored Cross‑Site Scripting (CWE‑79).

Affected Systems

Products: WordPress plugin "wp Time Machine" created by Paulgpetty. All releases version 3.4.0 or earlier are affected. Any WordPress installation that has the plugin installed with these versions is vulnerable. The vulnerability is limited to the admin interface but impacts any site user that loads the page containing the stored malicious script.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, but the low EPSS score (<1%) suggests few public exploits exist currently. The vulnerability is not listed in CISA KEV, but it remains a significant risk because attackers could leverage social engineering to get an administrator to click a crafted link, thereby creating a persistent cross‑site scripting surface. Because no authentication is required to trigger the CSRF, the threat surface extends to all sites that have the plugin installed, making prompt remediation advisable.

Generated by OpenCVE AI on April 20, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wp Time Machine to a version newer than 3.4.0 where the nonce check has been restored.
  • If an upgrade is not immediately possible, configure any available plugin security settings or add a custom nonce check to the wpTimeMachineCore.php file to prevent unauthorized requests.
  • Educate site administrators to be cautious of unfamiliar links and to verify the source before clicking, reducing the likelihood of successful CSRF exploitation.

Generated by OpenCVE AI on April 20, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9523 The wp Time Machine plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.0. This is due to missing or incorrect nonce validation on the 'wpTimeMachineCore.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 02 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Apr 2025 09:45:00 +0000

Type Values Removed Values Added
Description The wp Time Machine plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.0. This is due to missing or incorrect nonce validation on the 'wpTimeMachineCore.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title wp Time Machine <= 3.4.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:07.262Z

Reserved: 2025-04-01T14:49:19.564Z

Link: CVE-2025-3097

cve-icon Vulnrichment

Updated: 2025-04-02T13:54:29.302Z

cve-icon NVD

Status : Deferred

Published: 2025-04-02T10:15:19.967

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses