WordPress Plugin Vulnerabilities

Countdown & Clock < 2.8.9 - Authenticated (Contributor+) Remote Code Execution

Description

The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
countdown-builder
Fixed in 2.8.9

References

CVE
CVE-2025-30841
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8bed0bb4-11d6-4533-a6e1-8e8986dd92d1

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.8 (high)

Miscellaneous

Original Researcher
astra.r3verii
Verified
No
WPVDB ID
f613e39a-dc4b-41de-b29f-b43db8f7dd39

Timeline

Publicly Published
2025-04-01 (about 1 year ago)
Added
2025-04-10 (about 1 year ago)
Last Updated
2025-04-10 (about 1 year ago)

Other

Published
Title
Published
2024-05-17
Title
ArForms < 6.6 - Unauthenticated RCE
Published
2014-08-01
Title
WPtouch 1.9.8 - ajax/file_upload.php Crafted Content-Type File Upload Remote Code Execution
Published
2024-12-12
Title
Simple Link Directory < 8.4.6 - Unauthenticated Arbitrary Shortcode Execution
Published
2025-02-17
Title
Uncode Core < 2.9.1.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias
Published
2014-08-01
Title
WP-Super-Cache 1.3 - Remote Code Execution