Description
Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Timetics: from n/a through 1.0.53.
Published: 2026-05-12
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a missing authorization flaw that allows an attacker to bypass the intended access control for the Timetics plugin. An adversary who can reach the plugin’s interfaces can read, modify, or delete data and content that should be protected, effectively elevating their privileges over the WordPress installation. The flaw can also facilitate further exploitation of the underlying system if sensitive information is exposed.

Affected Systems

The defect is present in the Arraytics Timetics WordPress plugin in all versions from the original release up to and including 1.0.53. Users who have installed or continue to run any version of the plugin within this range are affected.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. Exploitation is straightforward due to the lack of proper authorization checks; an adversary only needs to issue requests to the plugin’s protected endpoints. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The easiest attack path is to send crafted HTTP requests to the plugin’s URLs and directly access or manipulate data that should be restricted. Even though the description does not state whether authentication is required, the missing authorization control inherently allows both local and remote actors to gain unauthorized access if they can reach the plugin endpoints.

Generated by OpenCVE AI on May 12, 2026 at 10:27 UTC.

Remediation

Vendor Solution

Update the WordPress Timetics Plugin to the latest available version (at least 1.0.54).

OpenCVE Recommended Actions

  • Update the WordPress Timetics plugin to version 1.0.54 or newer.
  • Reconfigure any custom role‑based access controls so that only users with administrative privileges can invoke the plugin’s protected endpoints.
  • Conduct a targeted penetration test or access audit to confirm that unauthorized users can no longer retrieve or modify plugin data after the update.

Generated by OpenCVE AI on May 12, 2026 at 10:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics timetics
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics timetics
Wordpress
Wordpress wordpress

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53.
Title WordPress Timetics plugin <= 1.0.53 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Arraytics Timetics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T12:43:40.710Z

Reserved: 2026-04-07T08:24:21.368Z

Link: CVE-2026-39432

cve-icon Vulnrichment

Updated: 2026-05-12T12:43:35.618Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:40.337

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-39432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:45:14Z

Weaknesses