Description
The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and including, 3.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update options such as user registration and default role, allowing anyone to register as an Administrator, and to delete limited data from the database.
Published: 2025-09-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The Time Tracker WordPress plugin is affected by a missing capability check in its update and delete functions. Users with Subscriber-level access or higher can modify core options such as user registration settings and the default role assigned to new users. This flaw allows an attacker to create users with Administrator privileges and to delete selected records from the database, compromising data integrity and elevating privileges.

Affected Systems

All installations of the germanpearls Time Tracker plugin up to and including version 3.1.0 are affected. The vulnerability impacts the WordPress plugin regardless of the hosting environment, as long as the plugin is active and the user is authenticated with Subscriber or higher capabilities.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score of less than 1% suggests that exploit attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack requires the attacker to be authenticated and have Subscriber-level access or higher; authorized users can exploit the flaw by invoking the exposed functions without additional prerequisites. The lack of a capability check in the plugin code allows direct privilege escalation and data tampering.

Generated by OpenCVE AI on April 22, 2026 at 14:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Time Tracker plugin to the latest released version that contains the authorization checks or remove the plugin entirely if an update is not yet available.
  • Deploy temporary access controls to restrict or block the tt_update_table_function and tt_delete_record_function for users below the Administrator role, ensuring no unintended privilege escalation occurs.
  • Modify the plugin code to enforce proper capability checks, such as current_user_can('manage_options'), before executing update or delete operations, thereby preventing unauthorized alterations.

Generated by OpenCVE AI on April 22, 2026 at 14:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28894 The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and including, 3.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update options such as user registration and default role, allowing anyone to register as an Administrator, and to delete limited data from the database.
History

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and including, 3.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update options such as user registration and default role, allowing anyone to register as an Administrator, and to delete limited data from the database.
Title Time Tracker <= 3.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Limited Data Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:25.415Z

Reserved: 2025-08-14T00:40:19.271Z

Link: CVE-2025-9018

cve-icon Vulnrichment

Updated: 2025-09-11T13:29:13.349Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T12:15:36.380

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:30:18Z

Weaknesses