Description
The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `countdown_settings_content()` function. This makes it possible for unauthenticated attackers to update the plugin settings including the countdown timeout, redirect URL, and custom text, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-03-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized administrative changes and site redirection via CSRF
Action: Apply Patch
AI Analysis

Impact

The Redirect Countdown WordPress plugin contains a CSRF flaw due to missing nonce validation in the countdown_settings_content() function. This flaw allows an unauthenticated attacker to forge a request that updates plugin settings, including the countdown timeout, redirect URL, and custom text. The attacker can therefore force the site to redirect visitors to a malicious URL or display deceptive messages, potentially resulting in phishing or other downstream attacks. The weakness is identified as CWE‑352, which represents a Cross‑Site Request Forgery scenario.

Affected Systems

The issue affects the "Redirect Countdown" plugin developed by HAGHS, for all WordPress installations using version 1.0 or earlier. Administrators running these versions are at risk until the plugin is upgraded or removed.

Risk and Exploitability

With a CVSS score of 4.3, the vulnerability presents moderate severity. No EPSS data is available, and it is not listed in the KEV catalog. The attack path requires the attacker to coerce a legitimate site administrator to visit a crafted link or trigger the forged request. Because it exploits a CSRF weakness, the risk is bound to environments where administrators routinely click unfamiliar links. Nonetheless, the potential for undetected policy changes and malicious redirections warrants prompt attention.

Generated by OpenCVE AI on March 21, 2026 at 06:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Redirect Countdown plugin to a version newer than 1.0 (or remove the plugin if no update is available).
  • Verify that the new plugin version includes nonce checks for settings updates.
  • If an update is unavailable, disable or uninstall the plugin to prevent the CSRF state.

Generated by OpenCVE AI on March 21, 2026 at 06:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Haghs
Haghs redirect Countdown
Wordpress
Wordpress wordpress
Vendors & Products Haghs
Haghs redirect Countdown
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `countdown_settings_content()` function. This makes it possible for unauthenticated attackers to update the plugin settings including the countdown timeout, redirect URL, and custom text, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Redirect countdown <= 1.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Haghs Redirect Countdown
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:22.806Z

Reserved: 2026-01-23T20:52:46.325Z

Link: CVE-2026-1390

cve-icon Vulnrichment

Updated: 2026-03-23T16:40:09.992Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:52.997

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-1390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:31Z

Weaknesses