Skip to main content

WP Sessions Time Monitoring Full Automatic EUVDEUVD-2026-37047

| CVE-2026-39581 HIGH
SQL Injection (CWE-89)
2026-06-16 Patchstack GHSA-8r7w-wppc-53wm
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Network-reachable plugin endpoint exploitable by any Subscriber (PR:L, AC:L, UI:N); SQLi reads wider WP DB (S:C, C:H) with limited write impact (I:L) and no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:26 vuln.today

DescriptionCVE.org

Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.

AnalysisAI

SQL injection in the WordPress plugin WP Sessions Time Monitoring Full Automatic (versions 1.1.4 and earlier) allows authenticated users with Subscriber-level access to inject malicious SQL into backend database queries. The CVSS scope change (S:C) and high confidentiality impact indicate that exploitation can expose data beyond the plugin's own context, including potentially the broader WordPress database. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) flaw in the activity-log.com 'WP Sessions Time Monitoring Full Automatic' (activitytime) plugin for WordPress, per the CPE 'cpe:2.3:a:activity-log.com:wp_sessions_time_monitoring_full_automatic'. The plugin tracks user session activity and likely passes user-supplied parameters into SQL queries without proper sanitization or use of $wpdb->prepare(). Because WordPress Subscribers can authenticate but normally have no privileged data access, an injection reachable at this role escalates exposure of the WordPress database (wp_users, wp_usermeta, options including secrets).

RemediationAI

No vendor-released patch identified at time of analysis in the supplied data; defenders should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/activitytime/vulnerability/wordpress-wp-sessions-time-monitoring-full-automatic-plugin-1-1-4-sql-injection-vulnerability for any updated fixed version and upgrade beyond 1.1.4 once published. As compensating controls until a patched version is confirmed, deactivate and remove the WP Sessions Time Monitoring Full Automatic plugin (side effect: loss of session activity logging), disable open user registration or set the default role to no privileges to prevent attackers from obtaining Subscriber accounts (side effect: blocks legitimate self-service signups), and deploy a WordPress WAF with SQLi rules such as Patchstack/Wordfence virtual patches targeting this CVE (side effect: possible false positives on admin queries). Restrict access to /wp-login.php and /wp-admin via IP allowlisting where feasible to reduce the pool of authenticated attackers.

Share

EUVD-2026-37047 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy