A high-severity vulnerability exists in the Time Tracker plugin for WordPress, affecting all versions up to and including version 3. The flaw allows any authenticated user, regardless of their permission level, to modify or delete data managed by the plugin. Successful exploitation could lead to significant data loss and corruption, impacting business operations that rely on the integrity of the tracked time data.

The vulnerability is a Broken Access Control issue caused by a missing capability check. The plugin's functions responsible for updating and deleting records (tt_update_table_function and tt_delete_record_function) do not verify if the user making the request has the appropriate permissions to perform such actions. An attacker with a low-privileged account, such as a 'subscriber', can craft a direct request to the server's AJAX endpoint to call these functions and arbitrarily modify or delete any data stored by the plugin.

This is a high-severity vulnerability with a CVSS score of 8.8, posing a significant risk to data integrity and availability. Exploitation could result in the unauthorized modification or complete deletion of critical time-tracking records. This can directly disrupt business processes such as client billing, project management, and payroll, potentially leading to financial loss, reputational damage, and disputes with clients or employees. The ease of exploitation by any authenticated user elevates the risk to organizations using this plugin.

Immediate Action:

• Immediately update the Time Tracker plugin to the latest version provided by the developer, which contains a patch for this vulnerability.
• If the plugin is not critical for business operations, the most secure course of action is to deactivate and uninstall it to completely remove the attack surface.
• Review WordPress user accounts and remove any that are no longer needed to minimize the number of potential low-privileged attackers.

Proactive Monitoring:

• Monitor web server and WAF logs for an unusual volume of POST requests to wp-admin/admin-ajax.php that include the actions tt_update_table_function or tt_delete_record_function, especially if originating from non-administrative users.
• Implement database monitoring or integrity checks on the tables associated with the Time Tracker plugin to detect unauthorized modifications or deletions.
• Review audit logs for unexpected data changes performed by low-privileged user accounts.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with custom rules to block requests to the vulnerable AJAX actions from users who are not administrators.
• Temporarily disable the plugin until it can be safely updated.
• Restrict user registration on the website to prevent attackers from easily creating low-privileged accounts.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the direct threat to data integrity, we strongly recommend immediate remediation. Organizations using the affected versions of the Time Tracker plugin must prioritize applying the security update as soon as possible. While this CVE is not currently on the CISA KEV list, its severity and the ubiquity of WordPress make it a highly attractive target. If the plugin's functionality is not essential, we recommend its complete removal as the most effective risk mitigation strategy.