WP-Safety

WP Sessions Time Monitoring Full Automatic Security & Risk Analysis

wordpress.org/plugins/activitytime

Plugin will accurately measure all activity time per page and user like working time, reading time, watching time, sessions time for specific user on …

600 active installs v1.1.5 PHP + WP 5.2+ Updated Mar 4, 2026
accuratemonitoringsessiontimetracking
87
A · Safe
CVEs total5
Unpatched0
Last CVEApr 20, 2026
Plugin page Download
Safety Verdict

Is WP Sessions Time Monitoring Full Automatic Safe to Use in 2026?

Generally Safe

Score 87/100

WP Sessions Time Monitoring Full Automatic has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

5 known CVEsLast CVE: Apr 20, 2026Updated 2mo ago
Risk Assessment

The 'activitytime' plugin exhibits a concerning security posture due to a significant number of unprotected entry points and a history of critical vulnerabilities. While the plugin utilizes prepared statements for all SQL queries, which is a strong security practice, this is overshadowed by the presence of 5 unprotected entry points (AJAX handlers and REST API routes). Furthermore, the static analysis reveals 6 high-severity taint flows with unsanitized paths, indicating a real risk of sensitive data exposure or manipulation. The 'unserialize' function also poses a potential risk if not handled with extreme care.

The plugin's vulnerability history is also a major red flag, with 3 known CVEs including a past critical vulnerability. The common types of vulnerabilities (XSS and SQL Injection) align with the identified taint flows and unprotected entry points, suggesting persistent weaknesses in input validation and sanitization. The absence of nonce checks on AJAX handlers and only one capability check across all entry points further exacerbates these risks, making it easier for attackers to exploit.

In conclusion, despite the good practice of using prepared statements for SQL, the 'activitytime' plugin has significant security weaknesses. The high number of unprotected entry points, the critical taint flows, and the historical vulnerability record point to a plugin that requires immediate attention and remediation to mitigate potential exploitation.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • High severity taint flows
  • Unsanitized paths in taint flows
  • Dangerous unserialize function
  • No nonce checks
  • Low capability check coverage
  • Bundled outdated Freemius v1.0
  • Past critical vulnerability
  • Past high severity vulnerability
  • Past medium severity vulnerability
Vulnerabilities
5 published

WP Sessions Time Monitoring Full Automatic Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
3

5 total CVEs

CVE-2026-39581medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Sessions Time Monitoring Full Automatic <= 1.1.4 - Authenticated (Subscriber+) SQL Injection

Apr 20, 2026 Patched in 1.1.5 (11d)
CVE-2026-32362medium · 5.3Missing Authorization

Sessions Time Monitoring Full Automatic <= 1.1.3 - Missing Authorization

Feb 15, 2026 Patched in 1.1.4 (60d)
CVE-2025-24718medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Sessions Time Monitoring Full Automatic <= 1.1.1 - Reflected Cross-Site Scripting

Jan 31, 2025 Patched in 1.1.2 (4d)
CVE-2024-49681high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Sessions Time Monitoring Full Automatic <= 1.0.9 - Unauthenticated SQL Injection

Oct 21, 2024 Patched in 1.1.0 (10d)
CVE-2023-5203critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Sessions Time Monitoring Full Automatic <= 1.0.8 - Unauthenticated SQL injection

Sep 11, 2023 Patched in 1.0.9 (149d)
Version History

WP Sessions Time Monitoring Full Automatic Release Timeline

v1.1.41 CVE
CVE-2026-39581
v1.1.32 CVEs
CVE-2026-32362 CVE-2026-39581
v1.1.22 CVEs
CVE-2026-32362 CVE-2026-39581
v1.1.13 CVEs
CVE-2026-32362 CVE-2025-24718 CVE-2026-39581
v1.1.03 CVEs
CVE-2026-32362 CVE-2025-24718 CVE-2026-39581
v1.0.94 CVEs
CVE-2024-49681 CVE-2026-32362 CVE-2025-24718 +1 more
v1.0.85 CVEs
CVE-2024-49681 CVE-2026-32362 CVE-2023-5203 +2 more
v1.0.75 CVEs
CVE-2024-49681 CVE-2026-32362 CVE-2023-5203 +2 more
Code Analysis
Analyzed Mar 16, 2026

WP Sessions Time Monitoring Full Automatic Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
20 prepared
Unescaped Output
216
191 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
1
Bundled Libraries
3

Dangerous Functions Found

unserialize'filter_par'=> json_encode(unserialize($filter['filter_par']))application\controllers\Actt_current_active.php:316

Bundled Libraries

DataTablesFreemius1.0Select2

SQL Query Safety

100% prepared20 total queries

Output Escaping

47% escaped407 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

10 flows6 with unsanitized paths
<index> (application\views\actt_sessions\index.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

WP Sessions Time Monitoring Full Automatic Attack Surface

Entry Points6
Unprotected5

AJAX Handlers 3

noprivwp_ajax_activitytime_actionincludes\class-activitytime.php:254
authwp_ajax_activitytime_actionincludes\class-activitytime.php:260
authwp_ajax_activitytime_mvc_actionincludes\class-activitytime.php:266

REST API Routes 2

POST/wp-json/acct_api/v2/drop_usersactivitytime-api.php:5
POST/wp-json/activitytime/v1/actionincludes\class-activitytime.php:302

Shortcodes 1

[actt_time_page] shortcodes\actt_time_page.php:3
WordPress Hooks 17
actionrest_api_initactivitytime-api.php:4
actionafter_setup_themeactivitytime.php:131
actionplugins_loadedincludes\class-activitytime.php:163
actionadmin_enqueue_scriptsincludes\class-activitytime.php:178
actionadmin_enqueue_scriptsincludes\class-activitytime.php:179
actionadmin_menuincludes\class-activitytime.php:184
actionwp_enqueue_scriptsincludes\class-activitytime.php:203
actionwp_enqueue_scriptsincludes\class-activitytime.php:204
actionplugins_loadedincludes\class-activitytime.php:252
actionwp_loadedincludes\class-activitytime.php:292
actionwp_headincludes\class-activitytime.php:294
actionadmin_headincludes\class-activitytime.php:295
actionwp_headincludes\class-activitytime.php:297
actionadmin_headincludes\class-activitytime.php:298
actionrest_api_initincludes\class-activitytime.php:301
actionadmin_footerincludes\class-activitytime.php:377
actionwp_footerincludes\class-activitytime.php:378
Maintenance & Trust

WP Sessions Time Monitoring Full Automatic Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version
Downloads12K

Community Trust

Rating100/100
Number of ratings7
Active installs600
Alternatives

WP Sessions Time Monitoring Full Automatic Alternatives

Health Monitor

Health Monitor

health-monitor

A
100

Health Monitor is designed to help you keep your website running smoothly. It continuously checks your site’s performance, security, and overall healt &hellip;

20 No CVEs
Incident Agent

Incident Agent

incident-agent

A
100

Complete WordPress monitoring with real-time alerts, error tracking, and uptime monitoring. Know about issues before your users do.

0 No CVEs
User Activity Tracking and Log

User Activity Tracking and Log

user-activity-tracking-and-log

A
99

Track time and monitor user activity & history on your website, LMS online learning system, membership or WooCommerce site.

3K 2 CVEs
Simple Countdown Timer

Simple Countdown Timer

simple-countdown

A
100

Simple Countdown Timer Plugin allows you to easily create and customize countdown timers for your website. Whether you're counting down to a sale &hellip;

1K No CVEs
Shipday Local Delivery for WooCommerce

Shipday Local Delivery for WooCommerce

shipday-for-woocommerce

A
100

Shipday adds local delivery and pickup workflows, dispatch sync, and checkout date/time selection to WooCommerce.

900 No CVEs
Developer Profile

WP Sessions Time Monitoring Full Automatic Developer Profile

activity-log.com

5 plugins · 1K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
118 days
View full developer profile
Detection Fingerprints

How We Detect WP Sessions Time Monitoring Full Automatic

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/activitytime/admin/css/activitytime-admin.css/wp-content/plugins/activitytime/public/css/activitytime-public.css/wp-content/plugins/activitytime/public/js/activitytime-public.js
Script Paths
/wp-content/plugins/activitytime/public/js/activitytime-public.js
Version Parameters
activitytime-admin.css?ver=activitytime-public.css?ver=activitytime-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
activitytime-admin-wrapactivity-time-widgetactt-progress-baractt-widget-rowactivity-time-table-wrapactivitytime-content-wrapper
HTML Comments
<!-- Activitytime Admin Setting --><!-- Activitytime Admin Setting END --><!-- Activity time widget --><!-- Activity time widget END -->+4 more
Data Attributes
data-activitytime-post-iddata-activitytime-user-iddata-activitytime-post-type
JS Globals
activitytime_dataactivitytime_admin_params
Shortcode Output
[activity_time_chart][activity_time_table]
FAQ

Frequently Asked Questions about WP Sessions Time Monitoring Full Automatic