Skip to main content

Maksym Marko MX Time Zone Clocks CVE-2025-62146

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 09:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maksym Marko MX Time Zone Clocks mx-time-zone-clocks allows Stored XSS.This issue affects MX Time Zone Clocks: from n/a through <= 5.1.1.

AnalysisAI

Stored XSS vulnerability in MX Time Zone Clocks WordPress plugin versions up to 5.1.1 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during web page generation, enabling persistent cross-site scripting attacks that could compromise site visitors, steal session tokens, or deface content. EPSS score of 0.04% indicates low real-world exploitation probability, though the stored nature of the XSS makes it a medium-priority remediation target for affected WordPress administrators.

Technical ContextAI

MX Time Zone Clocks is a WordPress plugin that displays time zone information across multiple locations. The vulnerability originates from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic input validation and output encoding flaw. When the plugin processes user-supplied data (likely through plugin settings, shortcode parameters, or custom post meta), it fails to properly sanitize or escape the input before storing it in the database. Upon retrieval and display, this unsanitized data is rendered directly into the page HTML without encoding, allowing injected JavaScript to execute in the browsers of any visitor viewing the affected page. This is particularly dangerous in a WordPress context where administrative functionality and user data may be accessible to scripts running with authenticated context.

Affected ProductsAI

MX Time Zone Clocks WordPress plugin by Maksym Marko is affected in all versions from the initial release through version 5.1.1 inclusive. The plugin is distributed via WordPress.org plugin repository. Specific affected version range: 5.1.1 and all earlier versions. The vulnerability is confirmed in the Patchstack database vulnerability entry referenced in the intelligence report.

RemediationAI

WordPress administrators should immediately update MX Time Zone Clocks to a version newer than 5.1.1 once available from the WordPress plugin repository, or consider disabling and removing the plugin from affected installations until a patched version is released. The Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/mx-time-zone-clocks/vulnerability/wordpress-mx-time-zone-clocks-plugin-5-1-1-cross-site-scripting-xss-vulnerability-2) should be monitored for vendor patch notification. As a temporary mitigation pending a security update, restrict plugin access to trusted administrators only and audit any existing stored plugin configurations for suspicious content that may indicate prior exploitation. If the plugin accepts shortcode parameters from user input, disable or restrict shortcode usage on public-facing pages.

Share

CVE-2025-62146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy