High severity7.2NVD Advisory· Published Sep 4, 2025· Updated Apr 15, 2026

CVE-2025-9519

Description

The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.

Affected products

WordPress/Easy Timerinferred2 versions
<=4.2.1+ 1 more
- (no CPE)range: <=4.2.1
- (no CPE)range: <=4.2.1
Package: https://wordpress.org/plugins/easy-timer

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/easy-timer/trunk/shortcodes.phpnvd
plugins.trac.wordpress.org/changeset/3355111/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/9f2d8a68-4cb9-44bc-b4ae-43a8e8468634nvd

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000