Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Activity Track Uji Countdown uji-countdown allows Reflected XSS.This issue affects Uji Countdown: from n/a through <= 2.3.3.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Activity Track Uji Countdown contains a reflected cross‑site scripting flaw caused by improper neutralization of user input during page rendering. The vulnerability allows an attacker to inject JavaScript that will execute in the victim’s browser when the crafted URL or form input is accessed. Exploitation can lead to session hijacking, theft of credentials, or defacement of the site by the user who views the malicious payload.

Affected Systems

The flaw affects all installations of the Activity Track Uji Countdown plugin for WordPress versions up to and including 2.3.3. Sites that have not upgraded beyond this release are vulnerable and must be examined for current deployment.

Risk and Exploitability

With a CVSS score of 7.1 this issue rates as high severity, while the EPSS score of less than 1 % indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker‑controlled input that is reflected back to the victim and relies on user interaction with a crafted link or form. The attack can be performed remotely from the internet without the need for privileged access to the server.

Generated by OpenCVE AI on April 30, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Uji Countdown to the latest available version to apply the vendor patch.
  • If an upgrade is not immediately possible, restrict or sanitize inputs in the plugin’s forms and URLs, and enforce a strong Content Security Policy to mitigate malicious script execution.
  • Consider disabling the plugin on production sites that cannot be updated promptly, and monitor site traffic for anomalous request patterns that may indicate an attempt to exploit the XSS flaw.

Generated by OpenCVE AI on April 30, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Activity Track
Activity Track uji Countdown
Wordpress
Wordpress wordpress
Vendors & Products Activity Track
Activity Track uji Countdown
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Activity Track Uji Countdown uji-countdown allows Reflected XSS.This issue affects Uji Countdown: from n/a through <= 2.3.3.
Title WordPress Uji Countdown plugin <= 2.3.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Activity Track Uji Countdown
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:04:08.232Z

Reserved: 2025-06-19T10:02:55.535Z

Link: CVE-2025-52749

cve-icon Vulnrichment

Updated: 2025-10-23T15:15:22.674Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:44.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-52749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:45:16Z

Weaknesses