An improper neutralization of input in the Product Time Countdown for WooCommerce plugin allows attackers to embed malicious scripts that are stored and later rendered as part of the plugin’s HTML output. Because the flaw is stored, any user who views the affected countdown element will have the injected code executed in their browser, enabling session hijacking, cookie theft, or site defacement. The issue is catalogued as CWE‑79, indicating a failure to properly encode or sanitize data before rendering it.

The vulnerability exists in all releases of the ProWCPlugins Product Time Countdown for WooCommerce plugin up to and including version 1.6.5. Any WordPress site that has installed a vulnerable version of the plugin, regardless of the underlying operating system or WordPress version, is susceptible as the plugin stores the unchecked input in the database and outputs it via the front‑end.

The CVSS score of 5.9 places the flaw in the medium severity range, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, further indicating limited known exploitation. An attacker typically needs write access to a countdown timer or related content—most often through an authenticated administrative role—to inject the malicious payload. Once a victim views the page, the script runs in the victim’s browser, posing a risk to confidentiality, integrity, and availability of the site’s users.