Skip to main content

Wp Sessions Time Monitoring Full Automatic CVE-2026-32362

| EUVDEUVD-2026-11853 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11853
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.1.3.

AnalysisAI

Insufficient access control in WP Sessions Time Monitoring Full Automatic version 1.1.3 and earlier permits unauthenticated attackers to modify data through improperly configured authorization checks. This vulnerability affects WordPress site administrators and users relying on the plugin to properly restrict access to session monitoring features. An attacker could exploit this to alter activity logs or session data without proper authentication.

Technical ContextAI

The WP Sessions Time Monitoring Full Automatic plugin is a WordPress extension designed to monitor and log user session activity. The vulnerability stems from CWE-862: Missing Authorization, a common flaw in WordPress plugins where access control checks (such as capability verification via current_user_can() or nonce validation) are either absent or improperly implemented on sensitive functions or AJAX endpoints. WordPress plugins typically rely on the plugin's own authorization logic since WordPress core functions require authentication by default. In this case, the plugin fails to properly validate user roles or capabilities before allowing modifications to activity logs or session monitoring data, creating an unauthenticated modification vector. The affected product is identified via CPE as a WordPress plugin with versions up to and including 1.1.3 lacking proper authorization enforcement on data-modifying operations.

RemediationAI

Upgrade the WP Sessions Time Monitoring Full Automatic plugin to version 1.1.4 or later immediately, as this version should contain authorization control fixes. If an immediate patch is unavailable, disable the plugin entirely until a security update is released, as the vulnerability allows unauthorized data modification. As a temporary mitigation for sites that must keep the plugin active, implement Web Application Firewall (WAF) rules to restrict POST/AJAX requests to the plugin's endpoints to authenticated users only, enforce WordPress security hardening practices (disable file editing, restrict plugin/theme access), and monitor activity logs for suspicious modifications indicating exploitation attempts. Additionally, consider adding HTTP authentication or IP whitelisting at the reverse proxy level if the plugin endpoints can be isolated.

Share

CVE-2026-32362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy