CVE-2026-32362

Sessions Time Monitoring Full Automatic <= 1.1.3 - Missing Authorization

mediumMissing Authorization

5.3

CVSS Score

5.3

CVSS Score

medium

Severity

1.1.4

Patched in

60d

Time to patch

Description

The Sessions Time Monitoring Full Automatic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=1.1.3

PublishedFebruary 15, 2026

Last updatedApril 15, 2026

Affected pluginactivitytime

What Changed in the Fix

Changes introduced in v1.1.4

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v1.1.3

Browse source Download .zip

Patched v1.1.4

Browse source Download .zip

Research Plan

Unverified

# Exploitation Research Plan - CVE-2026-32362 ## 1. Vulnerability Summary The **WP Sessions Time Monitoring Full Automatic** plugin (<= 1.1.3) contains a missing authorization vulnerability. Specifically, a sensitive function responsible for exporting session data into CSV format, `activity_time_cs…

Show full research plan

Exploitation Research Plan - CVE-2026-32362

1. Vulnerability Summary

The WP Sessions Time Monitoring Full Automatic plugin (<= 1.1.3) contains a missing authorization vulnerability. Specifically, a sensitive function responsible for exporting session data into CSV format, activity_time_csv_url, is hooked to after_setup_theme and can be triggered by any user (authenticated or unauthenticated) simply by providing a specific GET parameter. The function lacks any capability checks (current_user_can) or nonce verification.

Additionally, based on the CVSS vector (I:L, C:N), there is likely an unauthenticated tracking endpoint (AJAX-based) that allows attackers to manipulate activity logs (Integrity impact) by spoofing or updating session data without authorization.

2. Attack Vector Analysis

Primary Endpoint: Any site URL with the url_export parameter.
Secondary Endpoint: wp-admin/admin-ajax.php (for log manipulation).
Parameters:
- url_export (GET): Triggers the CSV export logic.
- action (POST): Likely actt_save_visit or actt_update_time (inferred from plugin slug actt).
Authentication: None (Unauthenticated).
Preconditions: The plugin must be active. For the CSV export, the function actt_prepare_export must be reachable (

Research Findings

Static analysis — not yet PoC-verified

Summary

The WP Sessions Time Monitoring Full Automatic plugin is vulnerable to unauthorized data disclosure due to a missing authorization check in the `activity_time_csv_url` function. An unauthenticated attacker can trigger a CSV export of user session and activity data by simply visiting any page on the site with a specific GET parameter.

Vulnerable Code

// activitytime.php line 133
add_action('after_setup_theme', function () {
    activity_time_csv_url();
});

function activity_time_csv_url()
{
    if (!isset($_GET['url_export'])) return;

    ob_clean();

    global $wpdb;

    $table_name = $wpdb->prefix . 'actt_visited_pages';

    $table_users_name = $wpdb->prefix . 'users';

    $base_url = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]";

    if (defined('CUSTOM_USER_TABLE'))
        $table_users_name = '`' . CUSTOM_USER_TABLE . '`';

    $query  = 'SELECT SUM(time_sec_total) as total_time, user_info, request_uri, title, user_id, user_email FROM ' . esc_sql($table_name) . ' LEFT JOIN ' . esc_sql($table_users_name) . ' ON ' . esc_sql($table_name) . '.user_id = ' . $table_users_name . '.ID WHERE is_visit_end = 1 ';
    $query .= 'GROUP BY title ORDER BY total_time DESC';

    $data = $wpdb->get_results($query);
    // ... (logic to generate and output CSV) ...

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/activitytime/1.1.3/activitytime.php	2026-02-11 21:21:22.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/activitytime/1.1.4/activitytime.php	2026-03-04 13:46:58.000000000 +0000
@@ -136,6 +136,16 @@
 {
     if (!isset($_GET['url_export'])) return;
 
+    // Require login
+    if (!is_user_logged_in()) {
+        wp_die('Unauthorized', 403);
+    }
+
+    // Require admin capability
+    if ( ! current_user_can( 'administrator' ) ) {
+        exit();
+    }
+
     ob_clean();
 
     global $wpdb;

Exploit Outline

To exploit this vulnerability, an attacker simply needs to send a GET request to any public-facing URL of the WordPress site (including the homepage) while appending the `url_export` parameter. Example Payload: `GET /?url_export=1` The function `activity_time_csv_url` is hooked to `after_setup_theme`, meaning it executes on every page load. Because it lacks capability checks (like `current_user_can('manage_options')`) or authentication checks (like `is_user_logged_in()`), the plugin will immediately process a database query against the activity tracking tables and return a CSV file containing user IDs, emails, requested URIs, and time spent on pages to the unauthenticated requester.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/a99ec547-63b5-474b-b6d0-e4ef9c2b4445?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database