Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable plugin endpoint exploitable by any Subscriber (PR:L, AC:L, UI:N); SQLi reads wider WP DB (S:C, C:H) with limited write impact (I:L) and no availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.
AnalysisAI
SQL injection in the WordPress plugin WP Sessions Time Monitoring Full Automatic (versions 1.1.4 and earlier) allows authenticated users with Subscriber-level access to inject malicious SQL into backend database queries. The CVSS scope change (S:C) and high confidentiality impact indicate that exploitation can expose data beyond the plugin's own context, including potentially the broader WordPress database. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
The vulnerability is a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) flaw in the activity-log.com 'WP Sessions Time Monitoring Full Automatic' (activitytime) plugin for WordPress, per the CPE 'cpe:2.3:a:activity-log.com:wp_sessions_time_monitoring_full_automatic'. The plugin tracks user session activity and likely passes user-supplied parameters into SQL queries without proper sanitization or use of $wpdb->prepare(). Because WordPress Subscribers can authenticate but normally have no privileged data access, an injection reachable at this role escalates exposure of the WordPress database (wp_users, wp_usermeta, options including secrets).
RemediationAI
No vendor-released patch identified at time of analysis in the supplied data; defenders should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/activitytime/vulnerability/wordpress-wp-sessions-time-monitoring-full-automatic-plugin-1-1-4-sql-injection-vulnerability for any updated fixed version and upgrade beyond 1.1.4 once published. As compensating controls until a patched version is confirmed, deactivate and remove the WP Sessions Time Monitoring Full Automatic plugin (side effect: loss of session activity logging), disable open user registration or set the default role to no privileges to prevent attackers from obtaining Subscriber accounts (side effect: blocks legitimate self-service signups), and deploy a WordPress WAF with SQLi rules such as Patchstack/Wordfence virtual patches targeting this CVE (side effect: possible false positives on admin queries). Restrict access to /wp-login.php and /wp-admin via IP allowlisting where feasible to reduce the pool of authenticated attackers.
The WP Sessions Time Monitoring Full Automatic WordPress plugin before 1.0.9 does not sanitize the request URL or query
Insufficient access control in WP Sessions Time Monitoring Full Automatic version 1.1.3 and earlier permits unauthentica
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37047
GHSA-8r7w-wppc-53wm