Countdown Timer <= 1.0.5 – Contributor+ Stored XSS | CVE 2024-10631 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Contributor+ creates a post including the countdown widget.
2. Sets the countdown time 
3. Block > On Date Expiry > Expire Type | Set to redirect to link.
4. Set the URL Address to `javascript:alert("Stored XSS")`
5. Set "Open New tab" to false.
6. When the Admin publishes the post and the countdown is finished the Javascript will run.

Affects Plugins

countdown-timer-block

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Sakotas

Submitter

Sakotas

Verified

Yes

WPVDB ID

b153fb5e-7df2-491b-b61b-6f90314c7b04

Timeline

Publicly Published

2024-10-16 (about 1 year ago)

Added

2024-11-22 (about 1 year ago)

Last Updated

2024-11-22 (about 1 year ago)

Other

Published

Title

Published

2024-10-24

Title

Astra Widgets < 1.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-10

Title

iCal Feeds <= 1.5.3 - Reflected Cross-Site Scripting

Published

2019-07-27

Title

Animate It < 2.3.6 - XSS

Published

2023-11-06

Title

Webpushr < 4.35.0 - Unauthenticated Stored XSS

Published

2025-06-05

Title

WordPress Ajax Load More and Infinite Scroll <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter