WordPress Plugin Vulnerabilities

Countdown, Coming Soon, Maintenance – Countdown & Clock < 2.7.8.1 - Missing Authorization to Authenticated (Subscriber+) PHP Object Injection

Description

The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the conditionsRow and switchCountdown functions in all versions up to, and including, 2.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject PHP Objects and modify the status of countdowns.

Affects Plugins

Plugin icon
countdown-builder
Fixed in 2.7.8.1

References

CVE
CVE-2024-2017
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fab229-cd6b-45a3-9e80-a03a1704ad3e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
36eef93d-094b-409e-8ea2-f63eda2cc476

Timeline

Publicly Published
2024-06-05 (about 2 years ago)
Added
2024-06-05 (about 2 years ago)
Last Updated
2024-06-06 (about 1 year ago)

Other

Published
Title
Published
2024-12-11
Title
WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses < 3.2.22 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Update
Published
2025-06-19
Title
Cookie-Script.com < 1.2.2 - Missing Authorization
Published
2024-04-05
Title
EventPrime < 3.3.5 - Unauthenticated Booking Price Manipulation
Published
2025-09-03
Title
Mobile Contact Line < 2.4.1 - Missing Authorization
Published
2025-12-09
Title
Imager for Elementor <= 2.0.4 - Missing Authorization