Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat Countdown & Clock countdown-builder allows Remote Code Inclusion.This issue affects Countdown & Clock: from n/a through <= 2.8.8.
Published: 2025-04-01
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper limitation of a pathname to a restricted directory, allowing an attacker to traverse directories and include arbitrary files uploaded or accessed by the plugin. This Path Traversal flaw can lead to Remote Code Inclusion, enabling an attacker to execute arbitrary code on the affected WordPress site. The weakness is classified as CWE‑22 and carries a severity of 9.9 on the CVSS scale, indicating critical impact on confidentiality, integrity, and availability of the host system.

Affected Systems

WordPress installations that have the adamskaat Countdown & Clock plugin version 2.8.8 or older are affected. No specific patch versions are listed as fixed in the data; the issue is present up to 2.8.8.

Risk and Exploitability

The EPSS score is below 1 %, suggesting a low probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via a web request to the plugin that allows arbitrary file paths, implying that an attacker would need network access to the WordPress site and would exploit the plugin’s file handling logic. With a CVSS of 9.9, the risk is high, and the exploitation would grant an attacker full control of the web server.

Generated by OpenCVE AI on May 1, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Countdown & Clock plugin to version 2.9 or later, which the vendor maintains as the fix for this flaw.
  • If an upgrade is not possible, restrict file write permissions for the plugin directory so that only the intended files can be stored or modified.
  • Configure the web server to deny direct access to the plugin’s internal directories and files, preventing arbitrary file inclusion from user input.

Generated by OpenCVE AI on May 1, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9484 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat Countdown & Clock allows Remote Code Inclusion. This issue affects Countdown & Clock: from n/a through 2.8.8.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat Countdown & Clock allows Remote Code Inclusion. This issue affects Countdown & Clock: from n/a through 2.8.8. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat Countdown & Clock countdown-builder allows Remote Code Inclusion.This issue affects Countdown & Clock: from n/a through <= 2.8.8.
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 02 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat Countdown & Clock allows Remote Code Inclusion. This issue affects Countdown & Clock: from n/a through 2.8.8.
Title WordPress Countdown & Clock plugin <=2.8.8 - Remote Code Execution (RCE) vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.941Z

Reserved: 2025-03-26T09:20:47.109Z

Link: CVE-2025-30841

cve-icon Vulnrichment

Updated: 2025-04-02T13:32:39.007Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:45.167

Modified: 2026-04-29T10:16:44.530

Link: CVE-2025-30841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:45:05Z

Weaknesses