CVE Alert: CVE-2025-9018 – germanpearls – Time Tracker

Risk verdict

High risk: authorised, low-privilege users can perform arbitrary option updates and limited data deletions, potentially enabling Administrator accounts and broad site impact.

Why this matters

The flaw enables attacker goals such as elevating access to full site control and creating persistence, with immediate implications for data integrity and user management. Given the lack of required user interaction, it is feasible for an existing subscriber to trigger widespread changes, risking confidentiality, integrity and availability of the WP site.

Most likely attack path

An authenticated attacker with Subscriber+ privileges can exploit missing authorization in the tt_update_table_function and tt_delete_record_function to modify registration options and delete data. No UI interaction is required, so abuse can occur remotely during normal plugin operation. With scope unchanged, an authorised attacker could maintain foothold and potentially cascade to broader admin-level actions if further misconfigurations exist.

Who is most exposed

WordPress sites using Time Tracker, especially those with public registration, multiple subscribers, or weak role-management on shared hosting, are most at risk.

Detection ideas

• Unexpected changes to user registration defaults or roles via the plugin options.
• Calls to tt_update_table_function or tt_delete_record_function from non-privileged accounts.
• Creation or elevation of administrator-like accounts from Subscriber-level activity.
• Anomalous data deletions tied to the plugin’s database tables.
• Breadcrumbs or audit logs showing privilege changes without corresponding admin actions.

Mitigation and prioritisation

• Patch immediately to a version with the fix; if unavailable, disable or uninstall the plugin until remediation.
• Enforce least privilege for WordPress accounts and remove automatic admin role assignment on registration.
• Implement input/output access controls around the plugin’s option and data endpoints; enable WP hardening and MFA where feasible.
• Monitor and alert on unusual changes to user roles and plugin-related database tables.
• Change-management: test patch in staging, then roll out across environments; document any role-management policy changes. If exploitation likelihood is confirmed (KEV/EPSS indicators), treat as priority 1.