The vulnerability is a missing authorization flaw that allows an attacker with sufficient privileges to modify or remove countdown elements created by the Countdowner for Elementor plugin. Because the issue stems from incorrectly configured access control security levels, users who can access the WordPress admin interface may be able to exploit the plugin’s editor without having the appropriate role. The impact is unauthorized access to content and potential disruption of a site’s front‑end displays, but the vulnerability does not provide a route to execute code or compromise the entire WordPress installation.

This flaw affects the Countdowner for Elementor plugin distributed by merkulove. All installed versions up to and including 1.0.4 are vulnerable. The plugin is a WordPress extension that adds countdown widgets for Elementor.

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of <1% suggests that exploitation is unlikely but not impossible. The vulnerability is not currently listed in the CISA KEV catalog. The attack vector is likely local or remote via an authenticated user who can access the plugin’s editor interface, so an attacker who gains or already has legitimate WordPress admin or editor privileges can leverage the flaw without additional exposure. While the issue does not involve remote code execution, the improper access controls can still lead to content tampering or denial of service to end‑users.