WP-Safety

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce Security & Risk Analysis

wordpress.org/plugins/hurrytimer

Create unlimited urgency and scarcity countdown timers for WordPress and WooCommerce to boost conversions and sales instantly.

20K active installs v2.14.3 PHP 5.6+ WP 4.0+ Updated Mar 6, 2026
countdown-timerevergreen-countdownflash-sale-timerrecurring-countdown-timersales-countdown-timer
95
A · Safe
CVEs total5
Unpatched0
Last CVEJan 11, 2026
Plugin page Download
Safety Verdict

Is HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce Safe to Use in 2026?

Generally Safe

Score 95/100

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 11, 2026Updated 28d ago
Risk Assessment

The Hurrytimer plugin version 2.14.3 exhibits a mixed security posture. On the positive side, it has a robust entry point management with all 13 identified entry points (AJAX handlers and shortcodes) appearing to have authentication checks, and there are no REST API routes without permission callbacks. The plugin also demonstrates good practices in SQL query handling, with a high percentage using prepared statements, and a significant number of nonce and capability checks, indicating awareness of common WordPress security mechanisms. Furthermore, there are no external HTTP requests, mitigating risks associated with external service dependencies.

However, several concerning signals emerge from the static analysis and historical data. The presence of the `unserialize` function is a significant risk factor, as it can lead to Remote Code Execution if not handled with extreme care and validated input. While taint analysis shows no critical or high severity flows, the single flow with unsanitized paths warrants attention, suggesting potential for XSS or other injection vulnerabilities if input isn't rigorously validated before use. The output escaping rate of 59% is also a concern, with over 40% of outputs potentially vulnerable to Cross-Site Scripting.

The plugin's vulnerability history, with 5 medium severity CVEs, although currently all patched, indicates a pattern of past security weaknesses, primarily related to Missing Authorization and Cross-site Scripting. The fact that the last vulnerability was recorded in early 2026, suggesting it might be a future date, is unusual and requires verification of the data source, but if accurate, it points to recent issues. The reliance on the Select2 library, if outdated, could also introduce vulnerabilities.

In conclusion, while Hurrytimer v2.14.3 has improved in some areas like entry point protection and SQL preparedness, the presence of `unserialize`, insufficient output escaping, and a history of vulnerabilities necessitate caution. Prioritizing the secure handling of unserialized data, improving output escaping, and ensuring all bundled libraries are up-to-date are crucial for strengthening its security posture.

Key Concerns

  • Presence of 'unserialize' function
  • Low output escaping rate (59%)
  • Taint flow with unsanitized paths
  • History of 5 medium severity CVEs
  • Bundled library (Select2) potentially outdated
Vulnerabilities
5

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
5

5 total CVEs

CVE-2026-24392medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.14.2 - Authenticated (Author+) Stored Cross-Site Scripting

Jan 11, 2026 Patched in 2.14.3 (47d)
CVE-2025-53255medium · 5.3Missing Authorization

HurryTimer <= 2.13.1 - Missing Authorization

Jun 27, 2025 Patched in 2.14.0 (7d)
CVE-2024-13735medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HurryTimer <= 2.11.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Name

Feb 13, 2025 Patched in 2.12.0 (1d)
CVE-2024-8667medium · 4.3Missing Authorization

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.10.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication

Oct 23, 2024 Patched in 2.11.0 (1d)
CVE-2024-32556medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2024 Patched in 2.10.0 (10d)
Code Analysis
Analyzed Mar 16, 2026

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
11 prepared
Unescaped Output
137
201 escaped
Nonce Checks
18
Capability Checks
20
File Operations
34
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$instance = @unserialize($value);includes\Dependencies\Carbon\Carbon.php:5243

Bundled Libraries

Select2

SQL Query Safety

85% prepared13 total queries

Output Escaping

59% escaped338 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
<hurrytimer> (hurrytimer.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce Attack Surface

Entry Points13
Unprotected0

AJAX Handlers 12

authwp_ajax_wcSearchProductsincludes\Admin.php:44
authwp_ajax_hurrytimer/search_wc_couponincludes\Admin.php:45
authwp_ajax_add_wc_condition_groupincludes\Admin.php:46
authwp_ajax_add_wc_conditionincludes\Admin.php:47
authwp_ajax_load_wc_conditionincludes\Admin.php:48
authwp_ajax_hurryt_dismiss_leave_review_noticeincludes\Admin.php:49
authwp_ajax_hurryt_remind_leave_review_noticeincludes\Admin.php:50
authwp_ajax_hurryt_dismiss_headline_moved_noticeincludes\Admin.php:97
authwp_ajax_hurryt/update_timestampincludes\Frontend.php:61
noprivwp_ajax_hurryt/update_timestampincludes\Frontend.php:62
authwp_ajax_next_recurrenceincludes\Frontend.php:65
noprivwp_ajax_next_recurrenceincludes\Frontend.php:66

Shortcodes 1

[hurrytimer] includes\CampaignShortcode.php:31
WordPress Hooks 57
actionsave_post_hurrytimer_countdownadmin\CampaignSettings.php:35
actionpost_submitbox_misc_actionsadmin\CampaignSettings.php:38
actionadmin_initadmin\CampaignSettings.php:41
filterenter_title_hereadmin\CampaignSettings.php:44
filterpost_updated_messagesadmin\CampaignSettings.php:47
filteradd_meta_boxesadmin\CampaignSettings.php:50
actionupdated_post_metaadmin\CampaignSettings.php:52
actionedit_form_before_permalinkadmin\CampaignSettings.php:53
actionbefore_woocommerce_inithurrytimer.php:58
actionplugins_loadedhurrytimer.php:71
filterwp_insert_post_dataincludes\ActionManager.php:23
actionsave_postincludes\ActionManager.php:29
actionwp_insert_postincludes\Admin.php:43
actionadmin_initincludes\Admin.php:51
actionadmin_initincludes\Admin.php:52
actionadmin_initincludes\Admin.php:53
actionadmin_initincludes\Admin.php:54
actionadmin_initincludes\Admin.php:55
filterpost_row_actionsincludes\Admin.php:56
actionadmin_menuincludes\Admin.php:57
filterbulk_post_updated_messagesincludes\Admin.php:76
actionadmin_menuincludes\Admin.php:83
actionadmin_noticesincludes\Admin.php:84
actionadmin_noticesincludes\Admin.php:85
actionadmin_noticesincludes\Admin.php:87
filteradmin_footer_textincludes\Admin.php:88
filterwp_insert_post_dataincludes\Admin.php:89
actionadmin_noticesincludes\Admin.php:94
actionadmin_enqueue_scriptsincludes\Admin.php:99
actionadmin_initincludes\Admin.php:101
actionload-edit.phpincludes\Admin.php:343
actionload-post-new.phpincludes\Admin.php:344
actionload-post.phpincludes\Admin.php:345
actioninitincludes\Bootstrap.php:68
actionadmin_menuincludes\Bootstrap.php:129
actionadmin_initincludes\Bootstrap.php:130
filteradd_meta_boxesincludes\Bootstrap.php:133
actionadmin_enqueue_scriptsincludes\Bootstrap.php:135
actionadmin_enqueue_scriptsincludes\Bootstrap.php:136
filterpre_do_shortcode_tagincludes\CampaignShortcode.php:32
filtershortcode_atts_hurrytimerincludes\CampaignShortcode.php:33
actionwp_enqueue_scriptsincludes\Frontend.php:50
actionwp_enqueue_scriptsincludes\Frontend.php:51
actionwp_footerincludes\Frontend.php:54
actionwp_footerincludes\Frontend.php:55
actionwpincludes\Frontend.php:58
actionhurryt_pre_renderincludes\Frontend.php:69
actionwpincludes\Frontend.php:74
actionwpincludes\IP_Log_Manager.php:14
actionastra_woo_single_add_to_cart_beforeincludes\WCCampaign.php:66
actionastra_woo_single_add_to_cart_afterincludes\WCCampaign.php:69
actionastra_woo_single_price_afterincludes\WCCampaign.php:72
actionastra_woo_single_rating_afterincludes\WCCampaign.php:75
actionastra_woo_single_title_afterincludes\WCCampaign.php:78
actionastra_woo_single_title_beforeincludes\WCCampaign.php:81
actionwoocommerce_single_product_summaryincludes\WCCampaign.php:84
actionwoocommerce_single_product_summaryincludes\WCCampaign.php:89
Maintenance & Trust

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 6, 2026
PHP min version5.6
Downloads502K

Community Trust

Rating96/100
Number of ratings166
Active installs20K
Alternatives

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce Alternatives

Evergreen Countdown Timer

Evergreen Countdown Timer

intelly-countdown

A
100

Evergreen Countdown is a plugin built for marketers that need a reliable solution to use scarcity on their websites and landing pages.

2K No CVEs
Met Sales Countdown- All‑in‑one FOMO plugin for WooCommerce

Met Sales Countdown- All‑in‑one FOMO plugin for WooCommerce

sales-countdown-discount-timer

A
92

Met Sales Countdown to increase sales and create urgency for buying your products.

0 No CVEs
VICSO Sale Countdown Timer for WooCommerce

VICSO Sale Countdown Timer for WooCommerce

vicso-sale-countdown-timer-for-woocommerce

A
85

A simple but very useful tool for increasing online sales. A countdown timer for WooCommerce product pages with promotional price.

0 No CVEs
Countdown Timer Ultimate

Countdown Timer Ultimate

countdown-timer-ultimate

A
100

A quick, easy way to add and display responsive Countdown timer on your website. Also work with Gutenberg shortcode block.

20K No CVEs
Countdown, Coming Soon, Maintenance – Countdown & Clock

Countdown, Coming Soon, Maintenance – Countdown & Clock

countdown-builder

C
65

Countdown builder - Customizable Countdown Timer

10K 1 unpatched
Developer Profile

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce Developer Profile

Nabil Lemsieh

4 plugins · 30K total installs

85
trust score
Avg Security Score
95/100
Avg Patch Time
61 days
View full developer profile
Detection Fingerprints

How We Detect HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hurrytimer/assets/css/hurrytimer-admin.css/wp-content/plugins/hurrytimer/assets/css/hurrytimer-frontend.css/wp-content/plugins/hurrytimer/assets/js/hurrytimer-frontend.js/wp-content/plugins/hurrytimer/assets/js/hurrytimer-admin.js/wp-content/plugins/hurrytimer/assets/js/review.js
Script Paths
assets/js/review.js
Version Parameters
hurrytimer/assets/css/hurrytimer-admin.css?ver=hurrytimer/assets/css/hurrytimer-frontend.css?ver=hurrytimer/assets/js/hurrytimer-frontend.js?ver=hurrytimer/assets/js/hurrytimer-admin.js?ver=hurrytimer/assets/js/review.js?ver=

HTML / DOM Fingerprints

CSS Classes
hurrytimer-countdownhurrytimer-frontendhurrytimer-admin-wrap
HTML Comments
<!-- wp:hurrytimer/countdown --><!-- /wp:hurrytimer/countdown -->
Data Attributes
data-hurrytimer-countdown-iddata-hurrytimer-settings
JS Globals
hurrytimer_ajax_reviewhurrytimer_frontend
Shortcode Output
[hurrytimer_countdown
FAQ

Frequently Asked Questions about HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce