Cyber Resilience

CVE-2025-67915

High

Published: 08 January 2026

Published
08 January 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 28.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-67915 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-67915 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Arraytics Timetics WordPress plugin. Published on 2026-01-08, this issue affects all versions of Timetics from n/a through 1.0.46 and enables authentication abuse.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Low-privileged authenticated users can exploit it remotely with low attack complexity and no user interaction, potentially achieving high impacts on confidentiality, integrity, and availability.

The Patchstack advisory provides further details on this broken authentication vulnerability in Timetics 1.0.46: https://patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-46-broken-authentication-vulnerability?_s_id=cve.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2025-64121Shared CWE-288
CVE-2026-22733Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2025-50904Shared CWE-288
CVE-2025-24846Shared CWE-288
CVE-2026-25002Shared CWE-288

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for all logical access paths, directly preventing authentication bypass via alternate channels in the Timetics plugin.

prevent

Explicitly authorizes and limits actions performable without identification or authentication, mitigating unintended bypasses through alternate paths exploited by low-privileged users.

preventrecover

Requires timely identification, reporting, and correction of flaws like this authentication bypass vulnerability via patching the affected Timetics plugin versions.

References