WordPress Time Capsule Plugin 1.21.16 Authentication Bypass
Description
WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2= 1.21.16+ 1 more
- (no CPE)range: = 1.21.16
- (no CPE)range: = 1.21.16
Patches
Vulnerability mechanics
Root cause
"Missing authentication check on POST requests containing the IWP_JSON_PREFIX header allows unauthenticated session cookie generation."
Attack vector
An unauthenticated attacker sends a crafted POST request to the WordPress site with the raw body `IWP_JSON_PREFIX` and a `Referer` header pointing to the target URL [ref_id=1]. The plugin's flawed request handling returns a session cookie containing an authenticated administrator session. The attacker can then use that cookie to access `wp-admin/index.php` and gain full administrative control of the WordPress dashboard [ref_id=1].
Affected code
The WordPress Time Capsule plugin (versions < 1.21.16) fails to authenticate requests that include the `IWP_JSON_PREFIX` header. The exploit targets the plugin's POST handler, which accepts a raw body of `IWP_JSON_PREFIX` and returns a valid administrator session cookie without requiring any credentials.
What the fix does
The advisory does not include a patch diff. The recommended remediation is to upgrade the WordPress Time Capsule plugin to version 1.21.16 or later, which presumably adds proper authentication checks before processing the `IWP_JSON_PREFIX` request body [ref_id=1]. Without the patch, any unauthenticated visitor can obtain an admin session.
Preconditions
- configThe WordPress Time Capsule plugin version < 1.21.16 must be installed and active
- authNo authentication or prior access is required; the attack is fully unauthenticated
- networkThe attacker must be able to send HTTP POST requests to the WordPress site
Reproduction
1. Send a POST request to the target WordPress URL with the raw body `IWP_JSON_PREFIX` and a `Referer` header set to the target URL. 2. Extract the session cookie named with `logged` from the response. 3. Use that cookie to access `wp-admin/index.php`; if the response contains `Dashboard`, the cookie is a valid administrator session [ref_id=1].
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/47941mitreexploit
- www.vulncheck.com/advisories/wordpress-time-capsule-plugin-authentication-bypassmitrethird-party-advisory
- wptimecapsule.commitreproduct
News mentions
0No linked articles in our index yet.