CVE-2025-9018: 
WordPress vulnerability analysis and mitigation

The Time Tracker plugin for WordPress contains a security vulnerability (CVE-2025-9018) discovered and disclosed on September 11, 2025. The vulnerability affects all versions up to and including 3.1.0 of the Time Tracker plugin. This security issue stems from missing capability checks in two key functions: 'ttupdatetablefunction' and 'ttdeleterecordfunction' (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 8.8 (HIGH). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to perform unauthorized modifications to the system. Specifically, attackers can update critical options such as user registration settings and default roles, potentially enabling anyone to register as an Administrator. Additionally, the vulnerability permits the deletion of limited data from the database (NVD).

Users should update the Time Tracker plugin to a version newer than 3.1.0 when available. The vulnerability has been addressed in the WordPress plugin repository through a code change (WordPress Plugin).