CVE-2025-67915

HighUpdated

Published: 08 January 2026

Published

08 January 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 29.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67915 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for all logical access paths, directly preventing authentication bypass via alternate channels in the Timetics plugin.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly authorizes and limits actions performable without identification or authentication, mitigating unintended bypasses through alternate paths exploited by low-privileged users.

SI-2 Flaw Remediation good match

preventrecover

Requires timely identification, reporting, and correction of flaws like this authentication bypass vulnerability via patching the affected Timetics plugin versions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46.

Deeper analysisAI

CVE-2025-67915 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Arraytics Timetics WordPress plugin. Published on 2026-01-08, this issue affects all versions of Timetics from n/a through 1.0.46 and enables authentication abuse.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Low-privileged authenticated users can exploit it remotely with low attack complexity and no user interaction, potentially achieving high impacts on confidentiality, integrity, and availability.

The Patchstack advisory provides further details on this broken authentication vulnerability in Timetics 1.0.46: https://patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-46-broken-authentication-vulnerability?_s_id=cve.

Details

CWE(s): CWE-288

CVEs Like This One

CVE-2025-0749Shared CWE-288

CVE-2025-68860Shared CWE-288

CVE-2026-1779Shared CWE-288

CVE-2025-10484Shared CWE-288

CVE-2025-62064Shared CWE-288

CVE-2025-63217Shared CWE-288

CVE-2025-64236Shared CWE-288

CVE-2025-13539Shared CWE-288

CVE-2024-26009Shared CWE-288

CVE-2025-6388Shared CWE-288

References

https://patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-46-broken-authentication-vulnerability?_s_id=cve
audit@patchstack.com