The germanpearls Time Tracker plugin for WordPress suffers from a missing authorization vulnerability identified as CVE-2025-9018 (CWE-862). The flaw exists in the 'tt_update_table_function' and 'tt_delete_record_function' functions, which lack proper capability checks before performing sensitive operations. This allows any authenticated user with at least Subscriber-level privileges to update plugin options such as user registration settings and default user roles. By manipulating these settings, an attacker can enable open registration and set the default role to Administrator, effectively granting themselves or others full administrative access to the WordPress site. Additionally, the attacker can delete limited data from the plugin's database tables, causing data loss. The vulnerability affects all versions of the plugin up to and including 3.1.0. The CVSS 3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The vulnerability is remotely exploitable over the network and requires only low privileges, making it highly dangerous. No official patches or fixes are currently linked, increasing the urgency for mitigation. This vulnerability can lead to complete site takeover, data manipulation, and potential further exploitation of the compromised WordPress environment.

Organizations using the germanpearls Time Tracker plugin on WordPress sites face significant risks from this vulnerability. Attackers with minimal privileges can escalate to full administrative control, compromising site confidentiality by accessing sensitive data, integrity by altering content and settings, and availability by deleting data or disrupting plugin functionality. This can lead to unauthorized access to user accounts, injection of malicious content, defacement, or use of the site as a launchpad for further attacks. The ability to register new administrators undermines all security controls and can result in persistent backdoors. For businesses relying on WordPress for customer engagement, internal tracking, or time management, this could cause operational disruptions, reputational damage, and regulatory compliance issues if sensitive data is exposed or altered. The vulnerability's ease of exploitation and broad impact make it a critical threat to any organization using this plugin.

Immediate mitigation steps include disabling the germanpearls Time Tracker plugin until a security patch is released. Administrators should restrict user roles to trusted individuals only and audit existing user accounts for unauthorized administrators. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious requests targeting the vulnerable functions can provide temporary protection. Monitoring logs for unusual activity related to user registration and role changes is crucial. If disabling the plugin is not feasible, manual code review and patching to add proper capability checks (e.g., verifying 'manage_options' or equivalent capabilities) on the affected functions can mitigate exploitation. Regular backups of the WordPress site and database should be maintained to enable recovery from data loss. Finally, stay updated with vendor advisories for official patches and apply them promptly once available.