CVE-2025-9018

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Time Tracker plugin for WordPress versions through 3.1.0

Description: The Time Tracker plugin for WordPress is susceptible to unauthorized modification and data loss. A missing capability check within the tt update table function and tt delete record function functions allows authenticated attackers with Subscriber-level access or higher to update options, including user registration and default role settings. This could enable unauthorized users to register as Administrators and delete limited data from the database.

Recommendations: Update the Time Tracker plugin to a version beyond 3.1.0.

Fix

LPE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-9018

Affected Products

Time Tracker

CVE-2025-9018

Weakness Enumeration

Related Identifiers

Affected Products

References · 7