CVE-2024-9593

HIGH EXPLOITED NUCLEI

Wpplugin Time Clock < 1.1.4 - Code Injection

Title source: rule

Description

The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.

Exploits (4)

nomisec WORKING POC 7 stars

by RandomRobbieBF · remote

https://github.com/RandomRobbieBF/CVE-2024-9593

View Code ZIP pw:eip

nomisec SCANNER 2 stars

by 0x4f5da2-venom · remote

https://github.com/0x4f5da2-venom/CVE-2024-9593-EXP

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by Nxploited · remote

https://github.com/Nxploited/CVE-2024-9593-Exploit

View Code ZIP pw:eip

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-9593-Exploit

View Code ZIP pw:eip

Nuclei Templates (1)

Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution

HIGHVERIFIEDby s4e-io

FOFA: body="/wp-content/plugins/time-clock/" || body="/wp-content/plugins/time-clock-pro/"

References (3)

[Product] https://plugins.trac.wordpress.org/browser/time-clock/tags/1.2.2/includes/admin/ajax_functions_admin.php#L58

[Product] https://plugins.trac.wordpress.org/changeset/3171046/time-clock#file40

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/247e599a-74e2-41d5-a1ba-978a807e6544?source=cve

Scores

CVSS v3 8.3

EPSS 0.8550

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Details

VulnCheck KEV 2025-03-11

CWE

CWE-94

Status published

Products (4)

Scott Paterson/Time Clock Pro < 1.1.4

scottpaterson/Time Clock – A WordPress Employee & Volunteer Time Clock Plugin < 1.2.2

wpplugin/time_clock < 1.1.4

wpplugin/time_clock < 1.2.2

Published Oct 18, 2024

Tracked Since Feb 18, 2026