CVE-2025-9519

HIGH LAB

Easy Timer <4.2.1 - Authenticated RCE

Title source: llm

Description

The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.

Exploits (1)

github WORKING POC 2 stars

by Nimisha17 · poc

https://github.com/Nimisha17/Poc-CVE-2025-9519

View Code ZIP pw:eip

References (3)

[Product] https://plugins.trac.wordpress.org/browser/easy-timer/trunk/shortcodes.php

[Product] https://plugins.trac.wordpress.org/changeset/3355111/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/9f2d8a68-4cb9-44bc-b4ae-43a8e8468634?source=cve

Scores

CVSS v3 7.2

EPSS 0.0045

EPSS Percentile 63.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull wordpress:php7.4-apache

docker pull wordpress:cli

https://github.com/Nimisha17/Poc-CVE-2025-9519

View in Library

Details

CWE

CWE-94

Status published

Products (1)

kleor/Easy Timer < 4.2.1

Published Sep 04, 2025

Tracked Since Feb 18, 2026