Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2.
Published: 2026-02-19
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting (XSS) that can lead to client‑side script execution and potential session hijacking or defacement
Action: Apply Patch
AI Analysis

Impact

The HurryTimer plugin for WordPress contains an improper neutralization of input during web page generation vulnerability that allows long‑term storage of malicious script code injected by a user. Once stored, the attacker’s code executes in the browsers of all visitors who view the affected content, potentially enabling theft of session cookies, defacement of the site, or subsequent network‑side attacks. The flaw is a classic stored XSS (CWE‑79) and can compromise the confidentiality and integrity of user data.

Affected Systems

The vulnerability affects the HurryTimer WordPress plugin developed by Nabil Lemsieh. All versions from the initial release up to and including 2.14.2 are impacted. Users running any of these plugin releases on their WordPress sites are susceptible.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that the likelihood of exploitation is very low at present, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve unauthorized input via the plugin’s front‑end or back‑end forms, which the plugin then stores without sufficient sanitization. An attacker who can submit malicious data—either as a user or through other means—could achieve the stored XSS; no additional privileges or remote code execution are required.

Generated by OpenCVE AI on April 16, 2026 at 00:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HurryTimer plugin to version 2.14.3 or later to remove the stored XSS flaw.
  • Ensure that all user‑supplied input handled by the plugin is validated and sanitized using WordPress core functions or equivalent mechanisms, preventing unsanitized data from being stored.
  • If an immediate update is not possible, disable or remove the HurryTimer plugin, restrict its use to trusted administrators only, and consider deploying a web application firewall rule that blocks typical XSS payloads.

Generated by OpenCVE AI on April 16, 2026 at 00:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Nabil Lemsieh
Nabil Lemsieh hurrytimer
Wordpress
Wordpress wordpress
Vendors & Products Nabil Lemsieh
Nabil Lemsieh hurrytimer
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2.
Title WordPress HurryTimer plugin <= 2.14.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Nabil Lemsieh Hurrytimer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:11.856Z

Reserved: 2026-01-22T14:42:48.126Z

Link: CVE-2026-24392

cve-icon Vulnrichment

Updated: 2026-02-19T21:43:54.840Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:13.640

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:45:15Z

Weaknesses