CVE-2025-53255

Overview

The HurryTimer plugin for WordPress, versions 2.13.1 and earlier, contains a missing authorization vulnerability [1]. The root cause is an incorrectly configured access control security level, meaning certain functions or endpoints lack proper authorization checks [1]. This type of bug is classified as a broken access control vulnerability.

Exploitation

An attacker can exploit this vulnerability without needing any special privileges, as the missing authorization check allows unprivileged users (such as subscribers) to trigger higher-privileged actions [1]. The plugin’s vulnerable functions are exposed through WordPress REST API endpoints or admin-ajax handlers, making remote exploitation possible without authentication in some cases.

Impact

Successful exploitation could allow an attacker to perform actions normally restricted to administrators, such as modifying plugin settings or deleting timers, potentially leading to further site compromise or disruption [1]. The CVSS v3 base score of 5.3 (Medium) reflects the moderate confidentiality and integrity impact, though the attack complexity is low and no user interaction is required [1].

Mitigation

The vendor has released version 2.14.0 which addresses the missing authorization issue [1]. Users are strongly advised to update immediately, as similar vulnerabilities are frequently used in mass-exploit campaigns targeting WordPress sites [1]. For those unable to update, applying a Web Application Firewall (WAF) rule or contacting a hosting provider for assistance is recommended [1].