{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24392", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:48.126Z", "datePublished": "2026-02-19T08:26:50.918Z", "dateUpdated": "2026-04-28T16:14:48.632Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "hurrytimer", "product": "HurryTimer", "vendor": "Nabil Lemsieh", "versions": [{"changes": [{"at": "2.14.3", "status": "unaffected"}], "lessThanOrEqual": "2.14.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:40.197Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.<p>This issue affects HurryTimer: from n/a through <= 2.14.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.632Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/hurrytimer/vulnerability/wordpress-hurrytimer-plugin-2-14-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress HurryTimer plugin <= 2.14.2 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:44:11.033049Z", "id": "CVE-2026-24392", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:09:30.713Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24392", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:48.126Z", "datePublished": "2026-02-19T08:26:50.918Z", "dateUpdated": "2026-04-28T14:09:30.713Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "hurrytimer", "product": "HurryTimer", "vendor": "Nabil Lemsieh", "versions": [{"changes": [{"at": "2.14.3", "status": "unaffected"}], "lessThanOrEqual": "2.14.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "benzdeus | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:19.346Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.<p>This issue affects HurryTimer: from n/a through <= 2.14.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:44.823Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/hurrytimer/vulnerability/wordpress-hurrytimer-plugin-2-14-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress HurryTimer plugin <= 2.14.2 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24392", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:44:11.033049Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:43:54.840Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') vulnerabilidad en Nabil Lemsieh HurryTimer hurrytimer permite XSS Almacenado. Este problema afecta a HurryTimer: desde n/a hasta &lt;= 2.14.2."}], "id": "CVE-2026-24392", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:13.640", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/hurrytimer/vulnerability/wordpress-hurrytimer-plugin-2-14-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.14.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.14.3,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "HurryTimer", "source": "cna", "vendor": "Nabil Lemsieh"}, "product": "hurrytimer", "vendor": "nabil_lemsieh"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:36:36.802626+00:00", "value": {"mitigation_remediation": ["Upgrade HurryTimer plugin to version 2.14.3 or later to remove the stored XSS flaw.", "Ensure that all user\u2011supplied input handled by the plugin is validated and sanitized using WordPress core functions or equivalent mechanisms, preventing unsanitized data from being stored.", "If an immediate update is not possible, disable or remove the HurryTimer plugin, restrict its use to trusted administrators only, and consider deploying a web application firewall rule that blocks typical XSS payloads."], "summary": {"action": "Apply Patch", "impact": "Stored cross\u2011site scripting (XSS) that can lead to client\u2011side script execution and potential session hijacking or defacement"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the HurryTimer WordPress plugin developed by Nabil Lemsieh. All versions from the initial release up to and including 2.14.2 are impacted. Users running any of these plugin releases on their WordPress sites are susceptible.", "description_and_impact": "The HurryTimer plugin for WordPress contains an improper neutralization of input during web page generation vulnerability that allows long\u2011term storage of malicious script code injected by a user. Once stored, the attacker\u2019s code executes in the browsers of all visitors who view the affected content, potentially enabling theft of session cookies, defacement of the site, or subsequent network\u2011side attacks. The flaw is a classic stored XSS (CWE\u201179) and can compromise the confidentiality and integrity of user data.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that the likelihood of exploitation is very low at present, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve unauthorized input via the plugin\u2019s front\u2011end or back\u2011end forms, which the plugin then stores without sufficient sanitization. An attacker who can submit malicious data\u2014either as a user or through other means\u2014could achieve the stored XSS; no additional privileges or remote code execution are required."}}}}, "created": "2026-02-20T10:11:12.805767+00:00", "updated": "2026-04-16T00:45:15.966170+00:00", "vendors": ["nabil_lemsieh", "nabil_lemsieh$PRODUCT$hurrytimer", "wordpress", "wordpress$PRODUCT$wordpress"]}