Impact
The Timetics WordPress plugin versions up to 1.0.58 contain an unauthenticated Cross‑Site Scripting flaw that allows an attacker to inject arbitrary JavaScript into pages viewed by other users. This can lead to session hijacking, defacement, or theft of sensitive session data, as it affects the integrity and confidentiality of the site’s content for all visitors. The vulnerability is identified as CWE‑79.
Affected Systems
WordPress sites that deploy the Timetics plugin from Arraytics, specifically any instance running version 1.0.58 or earlier. The vendor recommends updating to version 1.0.59 or later to eliminate the flaw.
Risk and Exploitability
The vulnerability carries a CVSS score of 7.1, indicating high severity. No EPSS score is available, but the issue is not listed in the CISA KEV catalog. Because the flaw is unauthenticated and exploitable via publicly accessible plugin inputs, any user can potentially inject malicious scripts. Attackers could quickly discover vulnerable sites and compromise visitors without needing elevated privileges.
OpenCVE Enrichment