Search criteria
2 vulnerabilities found for Easy Timer by kleor
CVE-2025-9519 (GCVE-0-2025-9519)
Vulnerability from cvelistv5 – Published: 2025-09-04 04:23 – Updated: 2025-09-04 13:59
VLAI?
Title
Easy Timer <= 4.2.1 - Authenticated (Editor+) Remote Code Execution via Shortcode
Summary
The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.
Severity ?
7.2 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kleor | Easy Timer |
Affected:
* , ≤ 4.2.1
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-04T13:59:29.842813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T13:59:43.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Timer",
"vendor": "kleor",
"versions": [
{
"lessThanOrEqual": "4.2.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin\u0027s shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T04:23:48.956Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f2d8a68-4cb9-44bc-b4ae-43a8e8468634?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-timer/trunk/shortcodes.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3355111/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-27T17:24:13.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-03T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Timer \u003c= 4.2.1 - Authenticated (Editor+) Remote Code Execution via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9519",
"datePublished": "2025-09-04T04:23:48.956Z",
"dateReserved": "2025-08-26T23:53:17.887Z",
"dateUpdated": "2025-09-04T13:59:43.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9519 (GCVE-0-2025-9519)
Vulnerability from nvd – Published: 2025-09-04 04:23 – Updated: 2025-09-04 13:59
VLAI?
Title
Easy Timer <= 4.2.1 - Authenticated (Editor+) Remote Code Execution via Shortcode
Summary
The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.
Severity ?
7.2 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kleor | Easy Timer |
Affected:
* , ≤ 4.2.1
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-04T13:59:29.842813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T13:59:43.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Timer",
"vendor": "kleor",
"versions": [
{
"lessThanOrEqual": "4.2.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin\u0027s shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-04T04:23:48.956Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f2d8a68-4cb9-44bc-b4ae-43a8e8468634?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-timer/trunk/shortcodes.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3355111/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-27T17:24:13.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-03T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Easy Timer \u003c= 4.2.1 - Authenticated (Editor+) Remote Code Execution via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9519",
"datePublished": "2025-09-04T04:23:48.956Z",
"dateReserved": "2025-08-26T23:53:17.887Z",
"dateUpdated": "2025-09-04T13:59:43.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}