Description
Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Counter Box counter-box allows Cross Site Request Forgery.This issue affects Counter Box: from n/a through <= 2.0.5.
Published: 2025-01-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic CSRF flaw (CWE‑352) that allows an attacker to submit form data to the Counter Box plugin’s settings page without the user’s knowledge. If the user is logged in with sufficient privileges, the attacker can alter plugin configuration, potentially disabling site features, changing display settings, or enabling further malicious actions. This change could affect the website’s appearance, behavior, or even expose sensitive information if settings control access levels.

Affected Systems

Wow‑Company Counter Box plugin versions up to and including 2.0.5 are affected. The plugin integrates with WordPress sites via the standard admin interface; no other plugins or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.4 classifies this as moderate; the EPSS score of less than 1% indicates very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a user who is benched or logged into the site and visiting a malicious page that submits a forged POST request to the plugin’s settings endpoint. Exploitation requires that the target user has administrative or editor privileges on the WordPress installation.

Generated by OpenCVE AI on May 1, 2026 at 18:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Counter Box plugin to the latest available version (≥ 2.0.6).
  • If an update is not immediately possible, disable the Counter Box plugin or block access to its settings page via .htaccess or WordPress role management.
  • Verify that your WordPress installation enforces CSRF protection on all admin pages and consider using a security plugin that adds additional CSRF tokens.
  • Ensure that authentication tokens are properly invalidated upon logout and that users are logged out from shared devices.

Generated by OpenCVE AI on May 1, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3907 Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Counter Box allows Cross Site Request Forgery. This issue affects Counter Box: from n/a through 2.0.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Counter Box allows Cross Site Request Forgery. This issue affects Counter Box: from n/a through 2.0.5. Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Counter Box counter-box allows Cross Site Request Forgery.This issue affects Counter Box: from n/a through <= 2.0.5.
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Mon, 09 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Wow-company
Wow-company counter Box
CPEs cpe:2.3:a:wow-company:counter_box:*:*:*:*:*:wordpress:*:*
Vendors & Products Wow-company
Wow-company counter Box

Fri, 24 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Counter Box allows Cross Site Request Forgery. This issue affects Counter Box: from n/a through 2.0.5.
Title WordPress Counter Box Plugin <= 2.0.5 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Wow-company Counter Box
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:16:59.292Z

Reserved: 2025-01-23T14:52:38.446Z

Link: CVE-2025-24715

cve-icon Vulnrichment

Updated: 2025-01-24T18:38:38.367Z

cve-icon NVD

Status : Modified

Published: 2025-01-24T18:15:44.913

Modified: 2026-04-23T15:25:21.160

Link: CVE-2025-24715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:45:15Z

Weaknesses