CVE-2025-9018 Overview
CVE-2025-9018 affects the Time Tracker plugin for WordPress through version 3.1.0. The vulnerability stems from missing capability checks on the tt_update_table_function and tt_delete_record_function handlers. Authenticated attackers with Subscriber-level access can modify WordPress options, including users_can_register and default_role. This allows any user to register as an Administrator and gain full control of the site. The same flaw permits attackers to delete limited records from the database. The issue is tracked under CWE-862: Missing Authorization.
Critical Impact
A Subscriber-level account can escalate to Administrator by toggling registration options, leading to full WordPress site compromise.
Affected Products
- Time Tracker plugin for WordPress, all versions up to and including 3.1.0
- WordPress sites with the plugin active and open user registration paths
- Any site allowing Subscriber-level account creation
Discovery Timeline
- 2025-09-11 - CVE-2025-9018 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9018
Vulnerability Analysis
The Time Tracker plugin exposes two AJAX-accessible functions, tt_update_table_function and tt_delete_record_function, that perform privileged actions without verifying the caller's WordPress capability. Authenticated users at the Subscriber tier or higher can invoke these handlers to write arbitrary option values through the plugin's update path. By targeting the users_can_register and default_role options, an attacker can enable public registration and set the default role to administrator. Once enabled, the attacker registers a new account that inherits Administrator privileges, achieving full site takeover. The delete handler additionally permits unauthorized removal of plugin-managed records, supporting integrity and availability impact in addition to confidentiality.
Root Cause
The handlers omit a current_user_can() capability check and rely only on the WordPress nonce or authentication state. Authentication alone does not constrain privileged option writes, so any logged-in user can reach the vulnerable code path. The fix in WordPress changeset 3359157 adds the missing authorization gate.
Attack Vector
Exploitation requires a valid WordPress session at the Subscriber role or above. The attacker sends a crafted POST request to the plugin's AJAX endpoint invoking tt_update_table_function, passing option names and values that change registration settings. With registration opened and the default role set to Administrator, the attacker self-registers a privileged account. Network access to wp-admin/admin-ajax.php is the only prerequisite. No user interaction is required after the initial session is established.
Verified proof-of-concept code is not available in the referenced sources. See the Wordfence Vulnerability Report and the WordPress Plugin Code Review for technical details on the unguarded handler.
Detection Methods for CVE-2025-9018
Indicators of Compromise
- Unexpected changes to the users_can_register or default_role values in the wp_options table.
- New Administrator accounts created through /wp-login.php?action=register without prior approval.
- POST requests to admin-ajax.php with the action parameter set to tt_update_table or tt_delete_record from low-privilege users.
- Sudden deletions in Time Tracker plugin database tables without corresponding admin activity.
Detection Strategies
- Audit the wp_options table for recent modifications to registration-related keys and correlate with the requesting user ID.
- Hunt web server logs for admin-ajax.php POSTs containing the vulnerable action names originating from Subscriber accounts.
- Compare current WordPress user roster against a known-good baseline to surface unauthorized Administrator accounts.
Monitoring Recommendations
- Enable WordPress audit logging that captures option changes, user creation, and role assignments.
- Forward web access logs to a centralized analytics platform and alert on AJAX calls to plugin handlers by non-admin users.
- Monitor for outbound connections from wp-content/plugins/time-tracker/ paths that may indicate post-compromise activity.
How to Mitigate CVE-2025-9018
Immediate Actions Required
- Update the Time Tracker plugin to a version above 3.1.0 that incorporates WordPress Changeset 3359157.
- Disable the plugin until a patched release can be installed if updates are not immediately possible.
- Review WordPress user accounts and remove any unrecognized Administrator users.
- Reset credentials for all privileged accounts and rotate any API keys exposed through the admin interface.
Patch Information
The vendor addressed the missing authorization check in WordPress Changeset 3359157. The patch adds capability validation to both tt_update_table_function and tt_delete_record_function. Refer to the Wordfence Vulnerability Report for the fixed version reference.
Workarounds
- Restrict Subscriber registration entirely by setting users_can_register to 0 and locking the option via configuration.
- Apply a Web Application Firewall (WAF) rule that blocks admin-ajax.php requests with action=tt_update_table or action=tt_delete_record from non-administrator sessions.
- Enforce role separation by removing the plugin from sites that allow open Subscriber registration.
# Enforce registration disabled and default role at the database layer
wp option update users_can_register 0
wp option update default_role subscriber
wp plugin update time-tracker
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

