Description
The Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization is triggered automatically upon the post-import redirect that renders the list table, and again when any item is opened for editing, requiring no additional navigation beyond the import action itself.
Published: 2026-06-17
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Counter Box plugin for WordPress is susceptible to PHP Object Injection through deserialization of untrusted input during import operations. Attackers with administrator-level authentication can inject arbitrary PHP objects into the system. Although the plugin itself does not contain a use‑after‑free or other exploitation chain, the presence of a vulnerable POP chain in another plugin or theme could allow file deletion, data exfiltration, or arbitrary code execution.

Affected Systems

The vulnerability affects the Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin (vendor wpcalc) in all releases up to and including version 2.0.13. Any site running these versions is potentially exposed when an authenticated administrator performs an import.

Risk and Exploitability

With a CVSS score of 6.6, the risk is moderate but significant, especially in environments where additional plugins or themes provide a vulnerable PHP object chain. The EPSS score of <1% indicates low but non‑zero likelihood of exploitation. The attack vector is internal; it requires administrator authentication and triggers during the import redirect or when editing an imported item. The vulnerability is not listed in the CISA KEV catalog, but mitigation remains critical.

Generated by OpenCVE AI on June 18, 2026 at 12:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Counter Box plugin to the latest released version (beyond 2.0.13) or uninstall it if no longer needed.
  • Remove or update any other plugins or themes that contain vulnerable PHP object chains to eliminate the potential attack surface.
  • If an upgrade is not feasible immediately, disable the import functionality for administrator users or restrict the import option to users with lower privileges to prevent exploitation.

Generated by OpenCVE AI on June 18, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpcalc
Wpcalc counter Box – Add Countdowns, Timers & Dynamic Counters To Wordpress
Vendors & Products Wordpress
Wordpress wordpress
Wpcalc
Wpcalc counter Box – Add Countdowns, Timers & Dynamic Counters To Wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization is triggered automatically upon the post-import redirect that renders the list table, and again when any item is opened for editing, requiring no additional navigation beyond the import action itself.
Title Counter Box <= 2.0.13 - Authenticated (Administrator+) PHP Object Injection via Import
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Wordpress Wordpress
Wpcalc Counter Box – Add Countdowns, Timers & Dynamic Counters To Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-17T10:36:36.992Z

Reserved: 2026-06-12T14:46:23.642Z

Link: CVE-2026-12115

cve-icon Vulnrichment

Updated: 2026-06-17T10:36:31.629Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data