Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.1.3.
AnalysisAI
Insufficient access control in WP Sessions Time Monitoring Full Automatic version 1.1.3 and earlier permits unauthenticated attackers to modify data through improperly configured authorization checks. This vulnerability affects WordPress site administrators and users relying on the plugin to properly restrict access to session monitoring features. An attacker could exploit this to alter activity logs or session data without proper authentication.
Technical ContextAI
The WP Sessions Time Monitoring Full Automatic plugin is a WordPress extension designed to monitor and log user session activity. The vulnerability stems from CWE-862: Missing Authorization, a common flaw in WordPress plugins where access control checks (such as capability verification via current_user_can() or nonce validation) are either absent or improperly implemented on sensitive functions or AJAX endpoints. WordPress plugins typically rely on the plugin's own authorization logic since WordPress core functions require authentication by default. In this case, the plugin fails to properly validate user roles or capabilities before allowing modifications to activity logs or session monitoring data, creating an unauthenticated modification vector. The affected product is identified via CPE as a WordPress plugin with versions up to and including 1.1.3 lacking proper authorization enforcement on data-modifying operations.
RemediationAI
Upgrade the WP Sessions Time Monitoring Full Automatic plugin to version 1.1.4 or later immediately, as this version should contain authorization control fixes. If an immediate patch is unavailable, disable the plugin entirely until a security update is released, as the vulnerability allows unauthorized data modification. As a temporary mitigation for sites that must keep the plugin active, implement Web Application Firewall (WAF) rules to restrict POST/AJAX requests to the plugin's endpoints to authenticated users only, enforce WordPress security hardening practices (disable file editing, restrict plugin/theme access), and monitor activity logs for suspicious modifications indicating exploitation attempts. Additionally, consider adding HTTP authentication or IP whitelisting at the reverse proxy level if the plugin endpoints can be isolated.
The WP Sessions Time Monitoring Full Automatic WordPress plugin before 1.0.9 does not sanitize the request URL or query
SQL injection in the WordPress plugin WP Sessions Time Monitoring Full Automatic (versions 1.1.4 and earlier) allows aut
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11853