WordPress Plugin Vulnerabilities

Countdown & Clock <= 3.0.8 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

Affects Plugins

Plugin icon
countdown-builder
No known fix

References

CVE
CVE-2022-29420
CVE
CVE-2022-29422
URL
https://patchstack.com/database/vulnerability/countdown-builder/wordpress-countdown-clock-plugin-2-3-1-authenticated-stored-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Jeong Wonjun, Ex.Mi
Verified
No
WPVDB ID
e18e69f7-3d28-4160-ab8e-c5064d894da0

Timeline

Publicly Published
2022-04-28 (about 3 years ago)
Added
2022-05-07 (about 3 years ago)
Last Updated
2026-02-10 (about 2 months ago)

Other

Published
Title
Published
2016-11-12
Title
Check Email < 0.5.2 - Cross-Site Scripting (XSS)
Published
2025-07-30
Title
GiveWP – Donation Plugin and Fundraising Platform < 4.6.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting
Published
2025-02-16
Title
easy-broken-link-checker <= 9.0.2 - Admin+ Stored XSS
Published
2025-09-22
Title
WooMS <= 9.12 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-07-18
Title
Partnerský systém Martinus <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting