CVE-2020-37255

WordPress Time Capsule Plugin 1.21.16 Authentication Bypass

CVSS 8.7 HIGHEPSS 0.4%CWE-288

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.7EPSS 0.4%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

20 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

Wptimecapsule · Time Capsule Plugin

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/47941unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wptimecapsule.com/https://www.exploit-db.com/exploits/47941 https://www.vulncheck.com/advisories/wordpress-time-capsule-plugin-authentication-bypass