WordPress Plugin Vulnerabilities

Countdown & Clock < 2.3.3 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the ycd_type parameter before outputting back in a page, leading to a Reflected Cross-Site Scripting

Affects Plugins

Plugin icon
countdown-builder
Fixed in 2.3.3

References

CVE
CVE-2022-29421

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Ex.Mi
Verified
No
WPVDB ID
bedcbee3-0a4f-4f01-936b-b0758870ad40

Timeline

Publicly Published
2022-04-28 (about 4 years ago)
Added
2022-05-07 (about 4 years ago)
Last Updated
2022-07-27 (about 3 years ago)

Other

Published
Title
Published
2023-01-02
Title
Qubely < 1.8.5 - Contributor+ Stored XSS
Published
2023-02-02
Title
IP Vault - WP Firewall < 2.1 - Admin+ Stored XSS
Published
2025-04-09
Title
MultiMailer <= 1.0.3 - Reflected Cross-Site Scripting
Published
2025-02-02
Title
Dreamstime Stock Photos < 4.2 - Reflected Cross-Site Scripting
Published
2025-02-05
Title
SimplePress Forum < 6.10.11 - Reflected XSS