The plugin’s input fields are not properly sanitized before rendering, allowing attackers to store malicious JavaScript within the block. When a visitor views a page containing the compromised block, the script runs in the victim’s browser, providing the attacker with the ability to hijack sessions, steal sensitive data, deface content, or launch further attacks. This vulnerability is a classic example of CWE‑79 and can leak confidential information or alter the user experience by executing arbitrary code.

All WordPress installations running the Countdown Timer plugin from the earliest released version up through version 1.2.6 are affected. The vendor, bPlugins, does not specify a minimum vulnerable version, so any site with 1.2.6 or earlier should assume risk.

The CVSS base score of 6.5 classifies the flaw as medium severity, while an EPSS score of less than 1 % indicates a currently low likelihood of exploitation in the wild. The vulnerability is listed in no KEV catalog, reducing immediate operational exposure. Exploitation requires that an attacker can inject content into the block, typically through an administrative or author account, but once stored it can affect all site visitors. Given the moderate score and low EPSS, the danger is contingent on whether the plugin remains unpatched and the site’s user roles allow content manipulation.