WordPress Plugin Vulnerabilities

MX Time Zone Clocks <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The MX Time Zone Clocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
mx-time-zone-clocks
No known fix

References

CVE
CVE-2025-31801
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a8d5628e-b5d6-4f2f-b270-0fed1c7b34fa

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
90d4b721-491d-4c45-b149-c2ba36b189df

Timeline

Publicly Published
2025-04-01 (about 1 year ago)
Added
2025-04-09 (about 11 months ago)
Last Updated
2025-12-18 (about 3 months ago)

Other

Published
Title
Published
2023-09-21
Title
Shared Files < 1.7.6 - Unauthenticated Stored Cross-Site Scripting
Published
2024-01-17
Title
Advanced Custom Fields < 6.2.5 - Contributor+ Stored Cross-Site Scripting via Custom Field
Published
2025-02-19
Title
Elementor Website Builder < 3.27.5 - Contributor+ Stored XSS
Published
2024-07-26
Title
Master Currency WP <= 1.1.61 - Authenticated (Contributor+) Stored Cross-Site Scripting via Currency Converter Form Shortcode
Published
2025-06-10
Title
The Events Calendar < 6.13.2.1 - Contributor+ DOM-Based Stored XSS