Login Sign Up

CVE-2025-9018

8.8 HIGH
Authentication Bypass

📋 TL;DR

The Time Tracker WordPress plugin has a missing capability check vulnerability that allows authenticated users with Subscriber-level access or higher to modify critical WordPress settings and delete database records. Attackers can register themselves as Administrators and potentially take full control of affected WordPress sites. All WordPress sites using Time Tracker plugin versions up to 3.1.0 are affected.

💻 Affected Systems

Products:
  • WordPress Time Tracker plugin
Versions: All versions up to and including 3.1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Time Tracker plugin enabled. Any authenticated user (Subscriber role or higher) can exploit this vulnerability.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover where attackers gain administrative privileges, modify all content, install malicious plugins/themes, steal sensitive data, and maintain persistent access.

🟠

Likely Case

Attackers elevate privileges to Administrator, modify site settings, inject malicious content, and potentially compromise other sites on shared hosting.

🟢

If Mitigated

Limited data deletion and unauthorized settings changes, but full site compromise prevented by additional security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is trivial once authenticated. Public proof-of-concept code is available in the references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3359157/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Time Tracker' plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install fresh version 3.1.1 or later from WordPress repository.

🔧 Temporary Workarounds

Disable Time Tracker Plugin

all

Temporarily disable the vulnerable plugin until patched version can be installed

wp plugin deactivate time-tracker

Restrict User Registration

all

Disable user registration to prevent attackers from creating accounts

wp option update users_can_register 0

🧯 If You Can't Patch

  • Remove Subscriber and Contributor roles from all users, only keep trusted Administrator and Editor roles
  • Implement web application firewall rules to block requests to tt_update_table_function and tt_delete_record_function endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Time Tracker → Version. If version is 3.1.0 or lower, you are vulnerable.

Check Version:

wp plugin get time-tracker --field=version

Verify Fix Applied:

After updating, verify Time Tracker plugin version is 3.1.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /wp-admin/admin-ajax.php with action=tt_update_table_function or action=tt_delete_record_function
  • Unusual user role changes from Subscriber to Administrator
  • Multiple failed login attempts followed by successful Subscriber login

Network Indicators:

  • HTTP POST requests containing 'tt_update_table_function' or 'tt_delete_record_function' parameters
  • Unusual traffic patterns to WordPress admin-ajax.php from non-admin users

SIEM Query:

source="wordpress.log" AND (action="tt_update_table_function" OR action="tt_delete_record_function") AND user_role="subscriber"

📊 Metadata

CVE ID: CVE-2025-9018
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
EPSS Score: 0.05% exploit probability (14.8th percentile)
Published: September 11, 2025
Last Updated: September 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9018, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)