Description
The Countdown Timer – Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that can be executed by users who view affected pages and may lead to session hijacking or defacement
Action: Patch Immediately
AI Analysis

Impact

The Countdown Timer – Widget Countdown plugin contains a stored Cross‑Site Scripting flaw in its wpdevart_countdown shortcode. Input supplied by users in shortcode attributes is not properly sanitized or escaped before being stored and later rendered on the front‑end, allowing an authenticated attacker with contributor or higher privileges to inject arbitrary JavaScript into pages. When a user views an injected page, the malicious script runs in the visitor’s browser, potentially compromising credentials, defacing content, or redirecting traffic.

Affected Systems

WordPress sites that install the WPDevArt Countdown Timer – Widget Countdown plugin in versions 2.7.7 or earlier are affected. Any site using these plugin versions and allowing contributors or editors to add or modify content that includes the wpdevart_countdown shortcode can be exploited.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate impact, while an EPSS score of <1% shows a low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access at the contributor level or higher, making the attack surface internal to sites where such roles exist. Once injected, the stored XSS can affect all users who view the compromised page.

Generated by OpenCVE AI on April 20, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Countdown Timer – Widget Countdown plugin to the latest version (2.7.8 or newer) where the shortcode input is properly sanitized.
  • If the plugin must remain unchanged, remove or disable the wpdevart_countdown shortcode from any posts or pages to eliminate stored payloads, or replace it with a custom shortcode that sanitizes attributes.
  • Restrict contributor and editor roles from adding or editing content that contains the shortcode, limiting the ability to inject malicious payloads to administrators only.
  • As a temporary workaround, implement a content filter that escapes or removes JavaScript from shortcode attributes before rendering the page.

Generated by OpenCVE AI on April 20, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevart
Wpdevart countdown Timer
Vendors & Products Wordpress
Wordpress wordpress
Wpdevart
Wpdevart countdown Timer

Mon, 12 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 10 Jan 2026 12:45:00 +0000

Type Values Removed Values Added
Description The Countdown Timer – Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Countdown Timer - Widget Countdown <= 2.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpdevart Countdown Timer
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:48.009Z

Reserved: 2025-12-12T02:00:33.513Z

Link: CVE-2025-14555

cve-icon Vulnrichment

Updated: 2026-01-12T13:10:28.207Z

cve-icon NVD

Status : Deferred

Published: 2026-01-10T13:15:48.353

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses