Description
Unauthenticated Cross Site Scripting (XSS) in Timetics <= 1.0.58 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Timetics WordPress plugin versions up to 1.0.58 contain an unauthenticated Cross‑Site Scripting flaw that allows an attacker to inject arbitrary JavaScript into pages viewed by other users. This can lead to session hijacking, defacement, or theft of sensitive session data, as it affects the integrity and confidentiality of the site’s content for all visitors. The vulnerability is identified as CWE‑79.

Affected Systems

WordPress sites that deploy the Timetics plugin from Arraytics, specifically any instance running version 1.0.58 or earlier. The vendor recommends updating to version 1.0.59 or later to eliminate the flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating high severity. No EPSS score is available, but the issue is not listed in the CISA KEV catalog. Because the flaw is unauthenticated and exploitable via publicly accessible plugin inputs, any user can potentially inject malicious scripts. Attackers could quickly discover vulnerable sites and compromise visitors without needing elevated privileges.

Generated by OpenCVE AI on July 2, 2026 at 15:12 UTC.

Remediation

Vendor Solution

Update the WordPress Timetics Plugin to the latest available version (at least 1.0.59).


OpenCVE Recommended Actions

  • Upgrade the Timetics Plugin to version 1.0.59 or newer.
  • Perform a site‑wide scan to ensure no legacy XSS vectors remain after the update.
  • Remove or disable any unused plugin instances and enforce strict input sanitization best practices.

Generated by OpenCVE AI on July 2, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Arraytics
Arraytics timetics
Wordpress
Wordpress wordpress
Vendors & Products Arraytics
Arraytics timetics
Wordpress
Wordpress wordpress

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Timetics <= 1.0.58 versions.
Title WordPress Timetics plugin <= 1.0.58 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Arraytics Timetics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T11:27:05.377Z

Reserved: 2026-06-25T08:03:37.652Z

Link: CVE-2026-57674

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')