WP Sessions Time Monitoring CVE-2024-49681
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows SQL Injection.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.0.9.
AnalysisAI
SQL injection in the WP Sessions Time Monitoring Full Automatic WordPress plugin (versions up to and including 1.0.9) allows remote unauthenticated attackers to inject crafted SQL into backend queries, exposing sensitive WordPress database contents and degrading availability. No public exploit identified at time of analysis, but the EPSS percentile of 98% (51.33% probability) places this in the top tier of vulnerabilities likely to be exploited in the next 30 days.
Technical ContextAI
The flaw is a classic CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) issue in a WordPress plugin developed by activity-log.com that logs and monitors user session activity. Plugins of this category typically read request parameters (such as user IDs, session tokens, or time-range filters) and interpolate them directly into SQL queries against the WordPress wp_ database rather than using $wpdb->prepare() with placeholders. Because the affected plugin processes session telemetry, the injectable parameters likely live in admin-facing reporting or AJAX endpoints reachable without authentication, where unsanitized input flows into a SELECT or WHERE clause executed against the WordPress database.
Affected ProductsAI
The vulnerability affects the WP Sessions Time Monitoring Full Automatic WordPress plugin (slug: activitytime) by activity-log.com, in all versions from initial release through and including 1.0.9. The advisory was published by Patchstack (audit@patchstack.com), which maintains coverage of WordPress plugin vulnerabilities; refer to the Patchstack database entry for CVE-2024-49681 for the canonical advisory and CPE references.
RemediationAI
No vendor-released patch identified at time of analysis - the description states the issue affects all versions through 1.0.9 with no fixed version specified, so administrators should monitor the plugin's WordPress.org page and Patchstack advisory for an updated release and apply it immediately when published. Until a fixed version is available, the safest action is to deactivate and remove the WP Sessions Time Monitoring Full Automatic plugin, accepting the loss of session-tracking telemetry. As compensating controls, deploy a WordPress-aware WAF rule (Patchstack, Wordfence, or ModSecurity OWASP CRS) to block SQL metacharacters on the plugin's endpoints, restrict access to wp-admin and admin-ajax.php by IP allow-list at the web server or CDN layer (which will break legitimate admin access from unlisted networks), and audit the WordPress database and access logs for prior indicators of exploitation such as anomalous UNION SELECT patterns or unexpected reads against wp_users and wp_options.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today