Description
The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.
Published: 2025-09-04
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Easy Timer WordPress plugin contains a flaw that allows an authenticated user with Editor or higher privileges to execute arbitrary PHP code on the web server. The flaw originates from insufficient restriction of attributes passed to shortcodes, enabling the attacker to inject code that runs with the permissions of the web server. This weakness is classified as CWE‑94, indicating a code injection vulnerability.

Affected Systems

The vulnerability affects the Easy Timer plugin developed by Kleor, in all versions up to and including 4.2.1. WordPress sites that have this plugin installed and have users with Editor or higher roles are at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score of <1% suggests the likelihood of exploitation is low as of now. The vulnerability is not listed in CISA KEV, meaning it has not yet been observed in the wild. Attackers must be authenticated, possess Editor+ access, and craft a malicious shortcode to trigger the flaw. Once triggered, they can run arbitrary PHP code, potentially compromising the entire WordPress installation and the underlying server.

Generated by OpenCVE AI on April 21, 2026 at 03:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Easy Timer plugin to the latest version (4.2.2 or newer) to remove the vulnerable shortcode handling.
  • If an update is not feasible, disable the Easy Timer plugin or the shortcode functionality until a patch is available.
  • Restrict Editor+ role privileges or remove unnecessary Editor+ accounts to reduce the number of users who could exploit the flaw.

Generated by OpenCVE AI on April 21, 2026 at 03:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26705 The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.
History

Thu, 04 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 04 Sep 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.
Title Easy Timer <= 4.2.1 - Authenticated (Editor+) Remote Code Execution via Shortcode
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:55.000Z

Reserved: 2025-08-26T23:53:17.887Z

Link: CVE-2025-9519

cve-icon Vulnrichment

Updated: 2025-09-04T13:59:36.709Z

cve-icon NVD

Status : Deferred

Published: 2025-09-04T10:42:35.590

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:30:26Z

Weaknesses