Countdown & Clock <= 3.0.8 – Admin+ Stored XSS | CVE 2024-50516 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

countdown-builder

No known fix

References

CVE

URL

https://patchstack.com/database/wordpress/plugin/countdown-builder/vulnerability/wordpress-countdown-clock-plugin-2-8-0-6-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Hwang Se-yeon

Verified

No

WPVDB ID

012eb3bf-dbb4-436b-a7b3-a15661aac1c2

Timeline

Publicly Published

2024-10-28 (about 1 year ago)

Added

2024-12-12 (about 1 year ago)

Last Updated

2026-02-10 (about 3 months ago)

Other

Published

Title

Published

2024-03-19

Title

Responsive Gallery Grid < 2.3.11 - Admin+ Stored XSS

Published

2023-12-27

Title

WPCS – WordPress Currency Switcher Professional < 1.2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-03-23

Title

Addon Jobsearch Chat < 3.1 - Reflected Cross-Site Scripting

Published

2024-12-20

Title

Reactflow Visitor Recording and Heatmaps <= 1.0.10 - Reflected Cross-Site Scripting

Published

2018-04-03

Title

WordPress 3.7-4.9.4 - Escape Version in Generator Tag