Description
The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns.
Published: 2025-11-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Countdowns
Action: Apply Patch
AI Analysis

Impact

The Ninja Countdown plugin for WordPress contains a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to and including 1.5.0. Because the endpoint does not verify the user’s role, any authenticated user with Subscriber level or higher can trigger a request that deletes an arbitrary countdown. The consequence is loss of user‑created countdown data, which could impact site functionality or advertising schedules, and represents a moderate data‑loss vulnerability per the CWE-862 classification.

Affected Systems

WordPress sites running the Ninja Countdown | Fastest Countdown Builder plugin, version 1.5.0 or earlier, are affected.

Risk and Exploitability

The CVSS score of 4.3 reflects moderate severity, and an EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and exploitation requires only an authenticated account at the Subscriber level or higher, which is commonly granted to regular site users. While the attack vector is relatively simple—sending a crafted AJAX request to delete a countdown—defenders should still prioritize remediation because the loss of countdown data can be disruptive to site operations.

Generated by OpenCVE AI on April 21, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ninja Countdown plugin to version 1.5.1 or newer, which includes the missing capability check.
  • If an immediate upgrade is not possible, disable the plugin or remove it entirely to prevent access to the vulnerable AJAX endpoint.
  • If deletion must be preserved temporarily, remove or restrict the 'ninja_countdown_admin_ajax' endpoint by editing the plugin’s code or using a custom filter to enforce stricter capability checks.

Generated by OpenCVE AI on April 21, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns.
Title Ninja Countdown <= 1.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Countdown Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:11.837Z

Reserved: 2025-11-03T21:16:37.757Z

Link: CVE-2025-12665

cve-icon Vulnrichment

Updated: 2025-11-12T15:12:27.738Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:49.103

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12665

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses