This vulnerability allows an attacker to inject arbitrary scripts that are permanently stored in the Widget Countdown plugin’s content. When a legitimate user views a page that displays the affected widget, the injected script runs in the victim’s browser, potentially stealing session cookies, hijacking accounts, defacing content, or executing additional malicious payloads. The weakness stems from the plugin’s failure to properly escape or sanitize user‑supplied input during page rendering, as identified by CWE‑79.

The flaw is present in all releases of the wpdevart Widget Countdown WordPress plugin up to and including version 2.7.1. Any WordPress site that has installed or is running this plugin is susceptible, regardless of the site’s administrative user structure, as the exploit takes advantage of data stored in the plugin’s configuration fields.

The CVSS score of 6.5 denotes a moderate severity. The EPSS probability is less than 1%, indicating that widespread exploitation at present is unlikely. The vulnerability is not listed in the CISA KEV catalog. According to the description, the flaw is triggered by inserting unescaped user input into widget configuration fields; therefore, the most plausible attack vector is an attacker who can add or edit widget content through the WordPress admin interface or a similar exposed input mechanism. Once stored, the malicious script executes in the browsers of users who view pages containing the widget, leading to client‑side injection that may compromise session cookies, hijack accounts, deface content, or enable further malicious payloads. The impact is confined to the client side; however, credential theft or follow‑on attacks from the victim’s device remain possible.