CVE-2025-9519: 
WordPress vulnerability analysis and mitigation

The Easy Timer plugin for WordPress has been identified with a Remote Code Execution vulnerability (CVE-2025-9519), discovered and disclosed on September 3, 2025. This vulnerability affects all versions up to and including 4.2.1 of the plugin. The issue was initially reported by Jonas Benjamin Friedli and has been assigned a High severity rating (NVD).

The vulnerability stems from insufficient restriction of shortcode attributes in the Easy Timer plugin's shortcodes functionality. The issue has been classified as CWE-94 (Improper Control of Generation of Code), indicating a code injection vulnerability. The vulnerability has received a CVSS v3.1 Base Score of 7.2 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD, Wordfence).

The vulnerability allows authenticated attackers with Editor-level access or higher to execute arbitrary code on the server. This could potentially lead to complete server compromise, allowing attackers to gain unauthorized access to sensitive data, modify website content, or use the server for malicious purposes (NVD).

A fix has been released in version 4.2.2 of the Easy Timer plugin, which improves the security of the 'filter' attribute. Website administrators are strongly advised to update to this latest version immediately (WordPress Changeset).