Impact
Counter Box plugin for WordPress is susceptible to PHP Object Injection through deserialization of untrusted input during import operations. Attackers with administrator-level authentication can inject arbitrary PHP objects into the system. Although the plugin itself does not contain a use‑after‑free or other exploitation chain, the presence of a vulnerable POP chain in another plugin or theme could allow file deletion, data exfiltration, or arbitrary code execution.
Affected Systems
The vulnerability affects the Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin (vendor wpcalc) in all releases up to and including version 2.0.13. Any site running these versions is potentially exposed when an authenticated administrator performs an import.
Risk and Exploitability
With a CVSS score of 6.6, the risk is moderate but significant, especially in environments where additional plugins or themes provide a vulnerable PHP object chain. The EPSS score of <1% indicates low but non‑zero likelihood of exploitation. The attack vector is internal; it requires administrator authentication and triggers during the import redirect or when editing an imported item. The vulnerability is not listed in the CISA KEV catalog, but mitigation remains critical.
OpenCVE Enrichment