Wow Countdowns <= 3.1.2 - Admin+ SQLi
Description
The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Wow Countdownsdescription
- Range: <=3.1.2
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization on the 'did' parameter allows SQL injection."
Attack vector
An authenticated attacker with Administrator+ privileges can supply a crafted value in the 'did' parameter. The plugin fails to sanitize this input before incorporating it into a SQL statement, allowing the attacker to inject arbitrary SQL commands [CWE-89] [ref_id=1]. The attack is performed over HTTP by sending a malicious request to the affected admin page.
Affected code
The advisory does not specify the exact file or function name. The vulnerable parameter is 'did', which is used unsanitized in a SQL statement within the Wow Countdowns plugin (slug: mwp-countdown) through version 3.1.2 [ref_id=1].
What the fix does
No fix has been published by the vendor as of the advisory's last update [ref_id=1]. The remediation would require the plugin to properly sanitize and escape the 'did' parameter before using it in a SQL query, such as by using WordPress's `$wpdb->prepare()` or casting the value to an integer if it is expected to be numeric.
Preconditions
- authAttacker must be authenticated with Administrator+ role
- configThe Wow Countdowns plugin (mwp-countdown) must be installed and activated
- inputAttacker must be able to supply input to the 'did' parameter
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/30c70315-3c17-41f0-a12f-7e3f793e259cmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.