Description
Missing Authorization vulnerability in Arraytics Timetics timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through <= 1.0.44.
Published: 2025-12-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization issue in the Arraytics Timetics WordPress plugin. Because access control checks are incorrectly configured, an attacker who can reach the plugin’s web endpoints could perform actions without proper authentication or authorization. This flaw, identified as CWE‑862, enables unauthorized manipulation of plugin data or configuration, potentially leading to disclosure, modification, or destruction of sensitive information stored within WordPress.

Affected Systems

Arraytics Timetics WordPress plugin users up through version 1.0.44 are affected. The flaw applies to all installations of the plugin prior to that version, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, though the EPSS score is less than 1 % and it is not listed in the CISA KEV catalog, suggesting low current exploitation probability. The likely attack vector is web-based, where an attacker sends crafted HTTP requests to plugin endpoints that lack proper authorization checks. Successful exploitation requires access to the plugin’s restricted area; no local privilege escalation or network-level compromise is indicated by the current data.

Generated by OpenCVE AI on April 29, 2026 at 13:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Timetics plugin to the latest version (≥ 1.0.45) which addresses the authorization flaw.
  • Restrict the web server’s permissions on the plugin directory so that only authenticated administrators can access plugin files.
  • Disable or remove the Timetics plugin from sites that cannot be updated immediately and monitor logs for suspicious activity.

Generated by OpenCVE AI on April 29, 2026 at 13:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics timetics
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics timetics
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Arraytics Timetics timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through <= 1.0.44.
Title WordPress Timetics plugin <= 1.0.44 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Arraytics Timetics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:28:44.581Z

Reserved: 2025-10-29T03:08:27.751Z

Link: CVE-2025-64268

cve-icon Vulnrichment

Updated: 2025-12-18T20:25:43.237Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:13.333

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses