CVE-2025-5815

An unauthenticated attacker can send a crafted HTTP request to the WordPress site that triggers the `tfcm_maybe_set_bot_flags()` function. Because no authorization check (CWE-862) is performed, the attacker can set the `TFCM_SKIP_BOT_LOGGING` flag to `true`, which causes the plugin to skip logging all subsequent bot traffic. This allows malicious bot activity to go unrecorded in the plugin's logs, undermining the monitoring functionality.

The vulnerability resides in the `tfcm_maybe_set_bot_flags()` function within the Traffic Monitor plugin (all versions up to 3.2.2). The function lacks a capability check, allowing unauthenticated attackers to disable bot logging. The plugin's main file `traffic-monitor.php` defines the global flags `TFCM_BOT_BLOCKING` and `TFCM_SKIP_BOT_LOGGING` that control bot-related behavior.

The advisory does not include a patch diff. The recommended remediation is to add a capability check (e.g., `current_user_can('manage_options')`) inside `tfcm_maybe_set_bot_flags()` before allowing the bot logging flags to be modified. Without this check, any unauthenticated visitor can toggle the bot logging state. The fix should ensure only authenticated administrators can alter these settings.