{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32362", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:53.774Z", "datePublished": "2026-03-13T11:42:05.065Z", "dateUpdated": "2026-04-29T09:51:57.881Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "activitytime", "product": "WP Sessions Time Monitoring Full Automatic", "vendor": "activity-log.com", "versions": [{"changes": [{"at": "1.1.4", "status": "unaffected"}], "lessThanOrEqual": "1.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:48.709Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.1.3.</p>"}], "value": "Missing Authorization vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.1.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.881Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/activitytime/vulnerability/wordpress-wp-sessions-time-monitoring-full-automatic-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Sessions Time Monitoring Full Automatic plugin <= 1.1.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32362", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:45:03.180985Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:53:31.053Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32362", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:45:03.180985Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:45:04.098Z"}}], "cna": {"title": "WordPress WP Sessions Time Monitoring Full Automatic plugin <= 1.1.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "activity-log.com", "product": "WP Sessions Time Monitoring Full Automatic", "versions": [{"status": "affected", "changes": [{"at": "1.1.4", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.1.3"}], "packageName": "activitytime", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:29.160Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/activitytime/vulnerability/wordpress-wp-sessions-time-monitoring-full-automatic-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.1.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:05.065Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32362", "state": "PUBLISHED", "dateUpdated": "2026-03-13T18:53:31.053Z", "dateReserved": "2026-03-12T11:10:53.774Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:05.065Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.1.3."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en activity-log.com WP Sessions Time Monitoring Full Automatic activitytime permite Explotar Niveles de Seguridad de control de acceso Incorrectamente Configurados. Este problema afecta a WP Sessions Time Monitoring Full Automatic: desde n/a hasta &lt;= 1.1.3."}], "id": "CVE-2026-32362", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:50.120", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/activitytime/vulnerability/wordpress-wp-sessions-time-monitoring-full-automatic-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.1.4,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "wp_sessions_time_monitoring_full_automatic", "vendor": "activity-log.com"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T14:58:24.184008+00:00", "value": {"mitigation_remediation": ["Ensure the plugin is upgraded to a version where the issue is fixed; if unavailable, disable the plugin to prevent unauthorized access.", "Restrict the plugin\u2019s permissions to the minimum required set of user roles, ensuring only trusted administrators can access it.", "Regularly monitor plugin files for unexpected changes and confirm no unauthorized code has been injected.", "Consult the vendor\u2019s website or support for an official patch or update."], "summary": {"action": "Patch or Update", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Affected product: activity-log.com WP Sessions Time Monitoring Full Automatic. Versions from n/a through 1.1.3 are impacted. No other vendor or version information is provided.", "description_and_impact": "The vulnerability resides in the WordPress plugin WP Sessions Time Monitoring Full Automatic, version <=1.1.3. It is a Missing Authorization flaw that allows an attacker to bypass access controls and potentially view or modify session data. The flaw could be exploited to read or alter sensitive session information, leading to unauthorized access to user data and impacting confidentiality and integrity of the site data. Key weakness: CWE-862.", "risk_and_exploitability": "CVSS score of 5.3 indicates moderate severity. EPSS score < 1% shows low exploitation likelihood. The vulnerability is not listed in CISA KEV. Attack vector is inferred to be remote exploitation via the WordPress administrator interface because the flaw is a broken access control in a plugin. No further exploitation paths are detailed in the description."}}}}, "created": "2026-03-16T09:34:45.491328+00:00", "updated": "2026-03-23T09:58:55.552218+00:00", "vendors": ["activity-log.com", "activity-log.com$PRODUCT$wp_sessions_time_monitoring_full_automatic", "wordpress", "wordpress$PRODUCT$wordpress"]}