Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
6 vulnerabilities by adamskaat
CVE-2025-2270 (GCVE-0-2025-2270)
Vulnerability from cvelistv5 – Published: 2025-04-04 05:22 – Updated: 2025-04-04 13:07
VLAI?
Title
Countdown, Coming Soon, Maintenance – Countdown & Clock <= 2.8.9.1 - Unauthenticated Limited Local File Inclusion
Summary
The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.9.1 via the createCdObj function. This makes it possible for unauthenticated attackers to include and execute files with the specific filenames on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in some cases.
Severity ?
8.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| adamskaat | Countdown, Coming Soon, Maintenance – Countdown & Clock |
Affected:
* , ≤ 2.8.9.1
(semver)
|
Credits
Michael Mazzolini
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T13:06:20.862819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T13:07:41.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Countdown, Coming Soon, Maintenance \u2013 Countdown \u0026 Clock",
"vendor": "adamskaat",
"versions": [
{
"lessThanOrEqual": "2.8.9.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Countdown, Coming Soon, Maintenance \u2013 Countdown \u0026 Clock plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.9.1 via the createCdObj function. This makes it possible for unauthenticated attackers to include and execute files with the specific filenames on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in some cases."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T05:22:46.133Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2260d6b-1a41-4757-a063-8b8857ef416a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/RegisterPostType.php#L116"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-07T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-04-03T16:22:47.000Z",
"value": "Disclosed"
}
],
"title": "Countdown, Coming Soon, Maintenance \u2013 Countdown \u0026 Clock \u003c= 2.8.9.1 - Unauthenticated Limited Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2270",
"datePublished": "2025-04-04T05:22:46.133Z",
"dateReserved": "2025-03-12T23:49:19.036Z",
"dateUpdated": "2025-04-04T13:07:41.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30841 (GCVE-0-2025-30841)
Vulnerability from cvelistv5 – Published: 2025-04-01 20:58 – Updated: 2026-04-01 15:47
VLAI?
Title
WordPress Countdown & Clock plugin <=2.8.8 - Remote Code Execution (RCE) vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat Countdown & Clock countdown-builder allows Remote Code Inclusion.This issue affects Countdown & Clock: from n/a through <= 2.8.8.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| adamskaat | Countdown & Clock |
Affected:
0 , ≤ 2.8.8
(custom)
|
Date Public ?
2026-04-01 16:36
Credits
Martino Spagnuolo (r3verii) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T13:32:37.355576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T14:21:31.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "countdown-builder",
"product": "Countdown \u0026 Clock",
"vendor": "adamskaat",
"versions": [
{
"changes": [
{
"at": "2.8.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.8.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Martino Spagnuolo (r3verii) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:32.760Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in adamskaat Countdown \u0026 Clock countdown-builder allows Remote Code Inclusion.\u003cp\u003eThis issue affects Countdown \u0026 Clock: from n/a through \u003c= 2.8.8.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in adamskaat Countdown \u0026 Clock countdown-builder allows Remote Code Inclusion.This issue affects Countdown \u0026 Clock: from n/a through \u003c= 2.8.8."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "Remote Code Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:47:42.757Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/countdown-builder/vulnerability/wordpress-countdown-clock-plugin-2-8-8-remote-code-execution-rce-vulnerability?_s_id=cve"
}
],
"title": "WordPress Countdown \u0026 Clock plugin \u003c=2.8.8 - Remote Code Execution (RCE) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30841",
"datePublished": "2025-04-01T20:58:07.179Z",
"dateReserved": "2025-03-26T09:20:47.109Z",
"dateUpdated": "2026-04-01T15:47:42.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23651 (GCVE-0-2025-23651)
Vulnerability from cvelistv5 – Published: 2025-02-14 12:44 – Updated: 2026-04-01 15:42
VLAI?
Title
WordPress Scroll Top plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamskaat Scroll Top scroll-to-top-builder allows Reflected XSS.This issue affects Scroll Top: from n/a through <= 1.3.3.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| adamskaat | Scroll Top |
Affected:
0 , ≤ 1.3.3
(custom)
|
Date Public ?
2026-04-01 16:33
Credits
SOPROBRO | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23651",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:35:49.064253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:44:07.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "scroll-to-top-builder",
"product": "Scroll Top",
"vendor": "adamskaat",
"versions": [
{
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SOPROBRO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:33:03.266Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in adamskaat Scroll Top scroll-to-top-builder allows Reflected XSS.\u003cp\u003eThis issue affects Scroll Top: from n/a through \u003c= 1.3.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in adamskaat Scroll Top scroll-to-top-builder allows Reflected XSS.This issue affects Scroll Top: from n/a through \u003c= 1.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:42:44.379Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/scroll-to-top-builder/vulnerability/wordpress-scroll-top-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Scroll Top plugin \u003c= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-23651",
"datePublished": "2025-02-14T12:44:30.336Z",
"dateReserved": "2025-01-16T11:27:38.285Z",
"dateUpdated": "2026-04-01T15:42:44.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50516 (GCVE-0-2024-50516)
Vulnerability from cvelistv5 – Published: 2024-11-19 16:32 – Updated: 2026-04-01 15:37
VLAI?
Title
WordPress Countdown & Clock plugin <= 3.0.8 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamskaat Countdown & Clock countdown-builder allows Stored XSS.This issue affects Countdown & Clock: from n/a through <= 3.0.8.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| adamskaat | Countdown & Clock |
Affected:
0 , ≤ 3.0.8
(custom)
|
Date Public ?
2026-04-01 16:31
Credits
Hwang Se-yeon | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T21:03:46.202060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T21:03:56.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "countdown-builder",
"product": "Countdown \u0026 Clock",
"vendor": "adamskaat",
"versions": [
{
"lessThanOrEqual": "3.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hwang Se-yeon | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:31:23.281Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in adamskaat Countdown \u0026 Clock countdown-builder allows Stored XSS.\u003cp\u003eThis issue affects Countdown \u0026 Clock: from n/a through \u003c= 3.0.8.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in adamskaat Countdown \u0026 Clock countdown-builder allows Stored XSS.This issue affects Countdown \u0026 Clock: from n/a through \u003c= 3.0.8."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:37:06.630Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/countdown-builder/vulnerability/wordpress-countdown-clock-plugin-2-8-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Countdown \u0026 Clock plugin \u003c= 3.0.8 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-50516",
"datePublished": "2024-11-19T16:32:16.039Z",
"dateReserved": "2024-10-24T07:27:11.266Z",
"dateUpdated": "2026-04-01T15:37:06.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9187 (GCVE-0-2024-9187)
Vulnerability from cvelistv5 – Published: 2024-10-12 05:39 – Updated: 2024-10-15 13:23
VLAI?
Title
Read more By Adam <= 1.1.8 - Missing Authorization to Authenticated (Subscriber+) Read More Button Deletion
Summary
The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| adamskaat | Read more By Adam |
Affected:
* , ≤ 1.1.8
(semver)
|
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T13:21:47.459345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T13:23:18.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Read more By Adam",
"vendor": "adamskaat",
"versions": [
{
"lessThanOrEqual": "1.1.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-12T05:39:39.961Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ebc8d0d-04b6-49a0-96c1-7c6d930009d8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/read-more/trunk/files/RadMoreAjax.php#L9"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-11T16:35:39.000Z",
"value": "Disclosed"
}
],
"title": "Read more By Adam \u003c= 1.1.8 - Missing Authorization to Authenticated (Subscriber+) Read More Button Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9187",
"datePublished": "2024-10-12T05:39:39.961Z",
"dateReserved": "2024-09-25T20:30:23.076Z",
"dateUpdated": "2024-10-15T13:23:18.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2017 (GCVE-0-2024-2017)
Vulnerability from cvelistv5 – Published: 2024-06-06 02:38 – Updated: 2024-08-01 18:56
VLAI?
Title
Countdown, Coming Soon, Maintenance – Countdown & Clock <= 2.7.8 - Missing Authorization to Authenticated (Subscriber+) PHP Object Injection
Summary
The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the conditionsRow and switchCountdown functions in all versions up to, and including, 2.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject PHP Objects and modify the status of countdowns.
Severity ?
5.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| adamskaat | Countdown, Coming Soon, Maintenance – Countdown & Clock |
Affected:
* , ≤ 2.7.8
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2017",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T17:38:24.494057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:38:32.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.545Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fab229-cd6b-45a3-9e80-a03a1704ad3e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L92"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L51"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3097588/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3096150/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Countdown, Coming Soon, Maintenance \u2013 Countdown \u0026 Clock",
"vendor": "adamskaat",
"versions": [
{
"lessThanOrEqual": "2.7.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Countdown, Coming Soon, Maintenance \u2013 Countdown \u0026 Clock plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the conditionsRow and switchCountdown functions in all versions up to, and including, 2.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject PHP Objects and modify the status of countdowns."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T02:38:13.733Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fab229-cd6b-45a3-9e80-a03a1704ad3e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L51"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3097588/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3096150/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-05T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Countdown, Coming Soon, Maintenance \u2013 Countdown \u0026 Clock \u003c= 2.7.8 - Missing Authorization to Authenticated (Subscriber+) PHP Object Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2017",
"datePublished": "2024-06-06T02:38:13.733Z",
"dateReserved": "2024-02-29T14:59:22.558Z",
"dateUpdated": "2024-08-01T18:56:22.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}