[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_snf5NIUicpbW7i_eHGm9fitATuU7--Cd1Bs66NhDKM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-32362","sessions-time-monitoring-full-automatic-missing-authorization","Sessions Time Monitoring Full Automatic \u003C= 1.1.3 - Missing Authorization","The Sessions Time Monitoring Full Automatic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","activitytime",null,"\u003C=1.1.3","1.1.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-15 00:00:00","2026-04-15 21:05:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa99ec547-63b5-474b-b6d0-e4ef9c2b4445?source=api-prod",60,[22,23],"README.txt","activitytime.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32362\n\n## 1. Vulnerability Summary\nThe **WP Sessions Time Monitoring Full Automatic** plugin (\u003C= 1.1.3) contains a missing authorization vulnerability. Specifically, a sensitive function responsible for exporting session data into CSV format, `activity_time_csv_url`, is hooked to `after_setup_theme` and can be triggered by any user (authenticated or unauthenticated) simply by providing a specific GET parameter. The function lacks any capability checks (`current_user_can`) or nonce verification.\n\nAdditionally, based on the CVSS vector (`I:L`, `C:N`), there is likely an unauthenticated tracking endpoint (AJAX-based) that allows attackers to manipulate activity logs (Integrity impact) by spoofing or updating session data without authorization.\n\n## 2. Attack Vector Analysis\n- **Primary Endpoint:** Any site URL with the `url_export` parameter.\n- **Secondary Endpoint:** `wp-admin\u002Fadmin-ajax.php` (for log manipulation).\n- **Parameters:**\n    - `url_export` (GET): Triggers the CSV export logic.\n    - `action` (POST): Likely `actt_save_visit` or `actt_update_time` (inferred from plugin slug `actt`).\n- **Authentication:** None (Unauthenticated).\n- **Preconditions:** The plugin must be active. For the CSV export, the function `actt_prepare_export` must be reachable (","The WP Sessions Time Monitoring Full Automatic plugin is vulnerable to unauthorized data disclosure due to a missing authorization check in the `activity_time_csv_url` function. An unauthenticated attacker can trigger a CSV export of user session and activity data by simply visiting any page on the site with a specific GET parameter.","\u002F\u002F activitytime.php line 133\nadd_action('after_setup_theme', function () {\n    activity_time_csv_url();\n});\n\nfunction activity_time_csv_url()\n{\n    if (!isset($_GET['url_export'])) return;\n\n    ob_clean();\n\n    global $wpdb;\n\n    $table_name = $wpdb->prefix . 'actt_visited_pages';\n\n    $table_users_name = $wpdb->prefix . 'users';\n\n    $base_url = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? \"https\" : \"http\") . \":\u002F\u002F$_SERVER[HTTP_HOST]\";\n\n    if (defined('CUSTOM_USER_TABLE'))\n        $table_users_name = '`' . CUSTOM_USER_TABLE . '`';\n\n    $query  = 'SELECT SUM(time_sec_total) as total_time, user_info, request_uri, title, user_id, user_email FROM ' . esc_sql($table_name) . ' LEFT JOIN ' . esc_sql($table_users_name) . ' ON ' . esc_sql($table_name) . '.user_id = ' . $table_users_name . '.ID WHERE is_visit_end = 1 ';\n    $query .= 'GROUP BY title ORDER BY total_time DESC';\n\n    $data = $wpdb->get_results($query);\n    \u002F\u002F ... (logic to generate and output CSV) ...","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Factivitytime\u002F1.1.3\u002Factivitytime.php\t2026-02-11 21:21:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Factivitytime\u002F1.1.4\u002Factivitytime.php\t2026-03-04 13:46:58.000000000 +0000\n@@ -136,6 +136,16 @@\n {\n     if (!isset($_GET['url_export'])) return;\n \n+    \u002F\u002F Require login\n+    if (!is_user_logged_in()) {\n+        wp_die('Unauthorized', 403);\n+    }\n+\n+    \u002F\u002F Require admin capability\n+    if ( ! current_user_can( 'administrator' ) ) {\n+        exit();\n+    }\n+\n     ob_clean();\n \n     global $wpdb;","To exploit this vulnerability, an attacker simply needs to send a GET request to any public-facing URL of the WordPress site (including the homepage) while appending the `url_export` parameter. \n\nExample Payload: `GET \u002F?url_export=1` \n\nThe function `activity_time_csv_url` is hooked to `after_setup_theme`, meaning it executes on every page load. Because it lacks capability checks (like `current_user_can('manage_options')`) or authentication checks (like `is_user_logged_in()`), the plugin will immediately process a database query against the activity tracking tables and return a CSV file containing user IDs, emails, requested URIs, and time spent on pages to the unauthenticated requester.","gemini-3-flash-preview","2026-04-20 22:17:31","2026-04-20 22:18:25",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.1.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Factivitytime\u002Ftags\u002F1.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Factivitytime.1.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Factivitytime\u002Ftags\u002F1.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Factivitytime.1.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Factivitytime\u002Ftags"]