CVE-2025-62146
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maksym Marko MX Time Zone Clocks mx-time-zone-clocks allows Stored XSS.This issue affects MX Time Zone Clocks: from n/a through <= 5.1.1.
Analysis
Stored XSS vulnerability in MX Time Zone Clocks WordPress plugin versions up to 5.1.1 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during web page generation, enabling persistent cross-site scripting attacks that could compromise site visitors, steal session tokens, or deface content. EPSS score of 0.04% indicates low real-world exploitation probability, though the stored nature of the XSS makes it a medium-priority remediation target for affected WordPress administrators.
Technical Context
MX Time Zone Clocks is a WordPress plugin that displays time zone information across multiple locations. The vulnerability originates from CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic input validation and output encoding flaw. When the plugin processes user-supplied data (likely through plugin settings, shortcode parameters, or custom post meta), it fails to properly sanitize or escape the input before storing it in the database. Upon retrieval and display, this unsanitized data is rendered directly into the page HTML without encoding, allowing injected JavaScript to execute in the browsers of any visitor viewing the affected page. This is particularly dangerous in a WordPress context where administrative functionality and user data may be accessible to scripts running with authenticated context.
Affected Products
MX Time Zone Clocks WordPress plugin by Maksym Marko is affected in all versions from the initial release through version 5.1.1 inclusive. The plugin is distributed via WordPress.org plugin repository. Specific affected version range: 5.1.1 and all earlier versions. The vulnerability is confirmed in the Patchstack database vulnerability entry referenced in the intelligence report.
Remediation
WordPress administrators should immediately update MX Time Zone Clocks to a version newer than 5.1.1 once available from the WordPress plugin repository, or consider disabling and removing the plugin from affected installations until a patched version is released. The Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/mx-time-zone-clocks/vulnerability/wordpress-mx-time-zone-clocks-plugin-5-1-1-cross-site-scripting-xss-vulnerability-2) should be monitored for vendor patch notification. As a temporary mitigation pending a security update, restrict plugin access to trusted administrators only and audit any existing stored plugin configurations for suspicious content that may indicate prior exploitation. If the plugin accepts shortcode parameters from user input, disable or restrict shortcode usage on public-facing pages.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today