Time Tracker WordPress Plugin Missing Authorization Vulnerability Allows Arbitrary Options Update and Data Deletion

A vulnerability exists in the Time Tracker plugin for WordPress, affecting all versions through 3.1.0. The issue arises from a lack of proper capability checks in the 'tt_update_table_function' and 'tt_delete_record_function' functions. This vulnerability enables authenticated attackers with Subscriber-level access or higher to unauthorizedly modify options related to user registration and default roles, potentially allowing users to register as Administrators. Additionally, it permits the deletion of certain data from the database.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in user roles and the deletion of specific data from the database.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to the WordPress site. The request must include the 'table', 'field', and 'id' parameters, as well as the 'tt_update_table_nonce' or 'tt_delete_record_nonce' for the respective functions. The absence of a proper authorization check allows the user to manipulate data in Time Tracker's database tables.

Remediation

Users are advised to update the Time Tracker plugin to version 3.2.0 or later, where this vulnerability has been patched.