Does Time Tracker have any unpatched vulnerabilities?

No. All known vulnerabilities in Time Tracker have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Time Tracker compatible with WordPress 6.8.5?

According to WordPress.org data, Time Tracker 3.2.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Time Tracker compatible with PHP 7.0+?

Time Tracker requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Time Tracker updated?

Time Tracker was last updated on Sep 10, 2025. Frequent updates are generally a positive security signal.

What is Time Tracker's security score?

Time Tracker has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Time Tracker Security & Risk Analysis

wordpress.org/plugins/time-tracker

Time Tracker enables freelancers to clients, projects, tasks (including recurring), time, billing info and more on private pages of their website.

30 active installs v3.2.0 PHP 7.0+ WP 5.3+ Updated Sep 10, 2025

billing-hoursfreelancer-toolstime-managementtime-trackerto-do-list

A · Safe

CVEs total1

Unpatched0

Last CVESep 10, 2025

Plugin page Download

Safety Verdict

Is Time Tracker Safe to Use in 2026?

Generally Safe

Score 98/100

Time Tracker has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 10, 2025Updated 6mo ago

Risk Assessment

The 'time-tracker' plugin v3.2.0 presents a mixed security posture. While it demonstrates good practices in SQL query handling with 100% prepared statements and a high percentage of output escaping (88%), significant concerns arise from its extensive unprotected attack surface. All 13 identified AJAX handlers lack authentication checks, creating a substantial opportunity for unauthorized actions.

Taint analysis reveals four high-severity flows with unsanitized paths, indicating potential for injection vulnerabilities, though no critical severity flows were found. The plugin has a history of one high-severity CVE, specifically related to missing authorization. The fact that this vulnerability is no longer present in this version is positive, but the recurring theme of missing authorization in past vulnerabilities, coupled with the current lack of auth checks on AJAX handlers, suggests a persistent weakness.

Overall, the plugin's strengths lie in its secure database interaction and output handling. However, the critical deficiency in securing its AJAX entry points, combined with a history of authorization flaws, makes it a high-risk plugin. The absence of authentication on all AJAX endpoints is the most pressing concern and should be addressed immediately to mitigate potential unauthorized data manipulation or execution.

Key Concerns

All AJAX handlers lack authentication checks
High severity taint flows with unsanitized paths
Large attack surface without authentication
History of high severity CVE (Missing Authorization)

Vulnerabilities

Time Tracker Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2025-9018high · 8.8Missing Authorization

Time Tracker <= 3.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Limited Data Deletion

Sep 10, 2025 Patched in 3.2.0 (1d)

Code Analysis

Analyzed Mar 16, 2026

Time Tracker Code Analysis

Dangerous Functions

Raw SQL Queries

34 prepared

Unescaped Output

495 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

execexec($mysqldump_cmd . " > " . $export_file);admin\function-tt-export-tables.php:34

passthrupassthru($file);admin\function-tt-export-tables.php:43

SQL Query Safety

100% prepared34 total queries

Output Escaping

88% escaped560 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths

tt_delete_record_function (inc\function-tt-delete-record.php:24)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

13 unprotected

Time Tracker Attack Surface

Entry Points13

Unprotected13

AJAX Handlers 13

authwp_ajax_tt_update_project_listinc\class-time-tracker.php:283

authwp_ajax_tt_update_task_listinc\class-time-tracker.php:284

authwp_ajax_tt_update_tableinc\class-time-tracker.php:285

authwp_ajax_tt_clear_sql_errorinc\class-time-tracker.php:286

authwp_ajax_tt_export_pending_timeinc\class-time-tracker.php:287

authwp_ajax_tt_export_pending_time_for_qbinc\class-time-tracker.php:288

authwp_ajax_tt_delete_recordinc\class-time-tracker.php:289

authwp_ajax_tt_start_timer_for_new_taskinc\class-time-tracker.php:290

authwp_ajax_tt_export_datainc\class-time-tracker.php:377

authwp_ajax_tt_export_pending_time_for_qbinc\class-time-tracker.php:378

authwp_ajax_tt_delete_datainc\class-time-tracker.php:379

authwp_ajax_tt_run_recurring_task_croninc\class-time-tracker.php:380

authwp_ajax_tt_dismiss_admin_noticeinc\class-time-tracker.php:381

WordPress Hooks 46

actionadmin_noticesadmin\function-tt-admin-notice.php:195

actionadmin_menuadmin\tt-admin-menu.php:51

actionadmin_bar_menuadmin\tt-admin-menu.php:53

actionwpcf7_before_send_mailinc\CF7\class-tt-hook-save-form-data-cf7.php:88

actionwpcf7_initinc\CF7\function-tt-custom-cf7-field-categories-from-settings.php:17

actionwpcf7_initinc\CF7\function-tt-custom-cf7-field-categories-from-settings.php:18

actionwpcf7_initinc\CF7\function-tt-custom-cf7-field-categories-from-settings.php:19

actionwpcf7_initinc\CF7\function-tt-custom-cf7-field-categories-from-settings.php:20

actionwpcf7_initinc\CF7\function-tt-custom-cf7-field-client-dropdown.php:17

actionwpcf7_initinc\CF7\function-tt-custom-cf7-field-datetime.php:19

actionwpcf7_initinc\CF7\function-tt-custom-cf7-field-project-dropdown.php:17

actionwpcf7_initinc\CF7\function-tt-custom-cf7-field-task-dropdown.php:18

actionwpinc\CF7\function-tt-recaptcha-cf7.php:23

filterwpcf7_skip_spam_checkinc\CF7\function-tt-recaptcha-cf7.php:34

actionwpinc\CF7\function-tt-recaptcha-cf7.php:51

actioninitinc\class-time-tracker-activator-pages.php:131

actionwp_enqueue_scriptsinc\class-time-tracker.php:293

actionwp_enqueue_scriptsinc\class-time-tracker.php:304

actionadmin_enqueue_scriptsinc\class-time-tracker.php:384

actionadmin_enqueue_scriptsinc\class-time-tracker.php:395

actionadmin_initinc\class-time-tracker.php:406

actionwp_footerinc\class-tt-hook-after-form-data-saved.php:140

actionwpcf7_before_send_mailinc\class-tt-hook-save-form-data.php:54

filtertheme_page_templatesinc\class-tt-load-page-templates.php:103

filtertemplate_includeinc\class-tt-load-page-templates.php:104

actiontt_recurring_task_checkinc\function-tt-cron-recurring-tasks.php:262

actionwpcf7_initinc\function-tt-custom-cf7-field-categories-from-settings.php:17

actionwpcf7_initinc\function-tt-custom-cf7-field-categories-from-settings.php:18

actionwpcf7_initinc\function-tt-custom-cf7-field-categories-from-settings.php:19

actionwpcf7_initinc\function-tt-custom-cf7-field-categories-from-settings.php:20

actionwpcf7_initinc\function-tt-custom-cf7-field-client-dropdown.php:17

actionwpcf7_initinc\function-tt-custom-cf7-field-datetime.php:19

actionwpcf7_initinc\function-tt-custom-cf7-field-project-dropdown.php:17

actionwpcf7_initinc\function-tt-custom-cf7-field-task-dropdown.php:17

actionwp_headinc\function-tt-load-dynamic-stylesheets.php:13

actionwpinc\function-tt-recaptcha.php:23

filterwpcf7_skip_spam_checkinc\function-tt-recaptcha.php:34

actionwpinc\function-tt-recaptcha.php:51

actionwpforms_field_propertiesinc\WPF\class-time-tracker-wpf-fields-add-properties.php:143

actionwpforms_display_submit_afterinc\WPF\class-time-tracker-wpf-fields-add-properties.php:145

actionwpforms_field_datainc\WPF\class-time-tracker-wpf-select-fields-dynamic-options.php:181

actionwpforms_process_entry_saveinc\WPF\class-tt-hook-save-form-data-wpf.php:89

actionplugins_loadedtime-tracker.php:122

actionplugins_loadedtime-tracker.php:126

actionplugins_loadedtime-tracker.php:135

actionplugins_loadedtime-tracker.php:136

Scheduled Events 1

tt_recurring_task_check

Maintenance & Trust

Time Tracker Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 10, 2025

PHP min version7.0

Downloads12K

Community Trust

Rating86/100

Number of ratings3

Active installs30

Alternatives

Time Tracker Alternatives

UDSSL Time Tracker

udssl-time-tracker

UDSSL Time Tracker helps you to precisely track your time. Charts allows you to visualize how your time is spent and helps you to be more productive.

10 No CVEs

SD Timer – Live Time Tracker for Frontend & Backend

sd-timer

100

Best Time Tracker Plugin for WordPress websites. Make time management easier and simple.

0 No CVEs

Dynamic Time

dynamic-time

100

The number one timesheet plugin for WordPress. A simple calendar-based timecard and time management solution.

200 No CVEs

WP To Do

wp-todo

WP-Todo: Smart To-Do List & Task Management Plugin for WordPress

100 7 CVEs

Posts To-Do List

posts-to-do-list

100

Share post ideas with writers, suggest them writing topics and keep track of the posts ideas with a to-do list.

60 No CVEs

Developer Profile

Time Tracker Developer Profile

Amy

1 plugin · 30 total installs

trust score

Avg Security Score

98/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Time Tracker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/time-tracker/assets/css/time-tracker.css/wp-content/plugins/time-tracker/assets/css/time-tracker-admin.css/wp-content/plugins/time-tracker/assets/js/time-tracker.js/wp-content/plugins/time-tracker/assets/js/time-tracker-admin.js/wp-content/plugins/time-tracker/inc/CF7/js/time-tracker-cf7.js/wp-content/plugins/time-tracker/inc/WPForms/js/time-tracker-wpforms.js

Script Paths

/wp-content/plugins/time-tracker/assets/js/time-tracker.js/wp-content/plugins/time-tracker/assets/js/time-tracker-admin.js/wp-content/plugins/time-tracker/inc/CF7/js/time-tracker-cf7.js/wp-content/plugins/time-tracker/inc/WPForms/js/time-tracker-wpforms.js

Version Parameters

time-tracker/assets/css/time-tracker.css?ver=time-tracker/assets/css/time-tracker-admin.css?ver=time-tracker/assets/js/time-tracker.js?ver=time-tracker/assets/js/time-tracker-admin.js?ver=time-tracker/inc/CF7/js/time-tracker-cf7.js?ver=time-tracker/inc/WPForms/js/time-tracker-wpforms.js?ver=

HTML / DOM Fingerprints

CSS Classes

tt-tt-formtt-form-wraptt-task-list-wraptt-project-list-wraptt-client-list-wraptt-task-itemtt-project-itemtt-client-item+6 more

Data Attributes

data-tt-form-iddata-tt-task-iddata-tt-project-iddata-tt-client-id

JS Globals

timeTrackerAdmintimeTrackerFrontend

FAQ