Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bishawjit-das wp custom countdown wp-custom-countdown allows Stored XSS.This issue affects wp custom countdown: from n/a through <= 2.8.
Published: 2025-01-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The wp custom countdown plugin contains an improper neutralization of user input, allowing stored cross‑site scripting. Unsanitized data entered through the plugin’s administrative interface is saved and later rendered on public pages, enabling an attacker to inject malicious scripts. This can lead to defacement, session hijacking, or exploitation of the victim’s browser context, affecting the confidentiality and integrity of user data.

Affected Systems

This vulnerability impacts the wp custom countdown plugin from bishawjit-das, affecting all releases up to and including version 2.8. Users running the plugin at any of these versions are exposed.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk of exploitation. The EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not listed in CISA KEV. Likely, an attacker would craft payloads through the plugin’s admin input field or any exposed configuration interface, have the input stored, and rely on the website’s users to trigger the malicious script when they view the affected page. This attack requires web access to the site and administration of the plugin, making it a localized but potentially wide‑impact risk.

Generated by OpenCVE AI on May 1, 2026 at 22:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wp custom countdown plugin to the latest available version (2.9 or newer) to obtain the vendor-provided patch.
  • If a newer version is not yet released, uninstall or delete the plugin entirely to eliminate the stored XSS vector, and replace it with a verified alternative.
  • Configure a strict content‑security‑policy header on your WordPress site to prevent execution of injected scripts as an additional defensive layer.

Generated by OpenCVE AI on May 1, 2026 at 22:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bishawjit Das wp custom countdown allows Stored XSS.This issue affects wp custom countdown: from n/a through 2.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bishawjit Das wp custom countdown allows Stored XSS.This issue affects wp custom countdown: from n/a through 2.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bishawjit-das wp custom countdown wp-custom-countdown allows Stored XSS.This issue affects wp custom countdown: from n/a through <= 2.8.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bishawjit Das wp custom countdown allows Stored XSS.This issue affects wp custom countdown: from n/a through 2.8.
Title WordPress wp custom countdown Plugin <= 2.8 - Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:08.024Z

Reserved: 2025-01-07T21:05:54.010Z

Link: CVE-2025-22822

cve-icon Vulnrichment

Updated: 2025-01-10T20:19:25.367Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T16:16:32.557

Modified: 2026-06-17T08:50:21.073

Link: CVE-2025-22822

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:15:27Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')