Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown Pro WP Plugin circular_countdown allows SQL Injection.This issue affects CountDown Pro WP Plugin: from n/a through <= 2.7.
Published: 2025-05-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CountDown Pro WP Plugin from LambertGroup has an SQL Injection flaw caused by insufficient input sanitization when building SQL statements. An attacker who supplies specially crafted input can inject arbitrary SQL, enabling the reading, modification or deletion of data stored in the WordPress database. This compromise affects the confidentiality, integrity and potentially the availability of site content and credentials.

Affected Systems

All releases of the plugin version 2.7 and earlier are vulnerable. The issue resides in the "circular_countdown" component, which is commonly deployed on publicly accessible WordPress sites running any of the affected versions.

Risk and Exploitability

With a CVSS score of 8.5 the vulnerability is high severity, but the EPSS score of less than 1% indicates a low current exploitation probability. The likely attack vector involves sending a crafted HTTP request to the plugin’s endpoint, so any site exposing the plugin is at risk. The flaw is not listed in CISA’s KEV catalog, yet the potential impact warrants prompt action.

Generated by OpenCVE AI on May 1, 2026 at 08:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CountDown Pro WP Plugin to a version newer than 2.7 once the vendor releases a patch.
  • If a patch is not immediately available, remove or disable the plugin on the site to eliminate the attack vector.
  • Apply a network firewall rule or web‑application control to block or restrict direct access to the plugin’s endpoints until the vulnerability is resolved.

Generated by OpenCVE AI on May 1, 2026 at 08:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15485 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown Pro WP Plugin allows SQL Injection. This issue affects CountDown Pro WP Plugin: from n/a through 2.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown Pro WP Plugin allows SQL Injection. This issue affects CountDown Pro WP Plugin: from n/a through 2.7. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown Pro WP Plugin circular_countdown allows SQL Injection.This issue affects CountDown Pro WP Plugin: from n/a through <= 2.7.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown Pro WP Plugin allows SQL Injection. This issue affects CountDown Pro WP Plugin: from n/a through 2.7.
Title WordPress CountDown Pro WP Plugin <= 2.7 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:21.622Z

Reserved: 2025-04-04T10:02:46.815Z

Link: CVE-2025-32301

cve-icon Vulnrichment

Updated: 2025-05-16T16:41:37.747Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:39.500

Modified: 2026-04-23T15:28:55.870

Link: CVE-2025-32301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:45:06Z

Weaknesses