CVE-2025-24719

Vulnerability

Overview The Widget Countdown plugin for WordPress versions up to and including 2.7.1 suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during page generation. This flaw enables authenticated users with contributor-level access or higher to inject arbitrary web scripts into the plugin's settings or widget content, which are then stored and executed when other users view the affected pages [1].

Exploitation and

Attack Surface Exploitation requires an authenticated user with at least contributor privileges to submit malicious payloads through input fields that are not sanitized. The vulnerability can be triggered without requiring direct user interaction from the victim, as the injected script executes automatically when the page containing the malicious widget is loaded. This makes it suitable for large-scale attacks where attackers target multiple sites running the vulnerable plugin version [1].

Impact

Successful exploitation allows an attacker to perform actions such as redirecting visitors to malicious sites, displaying advertisements, stealing session cookies, or defacing the website. The CVSS score of 6.5 indicates medium severity, but the potential for widespread exploitation in automated campaigns increases the risk, especially for sites with untrusted contributor accounts [1].

Mitigation

The vendor has released version 2.7.2, which addresses the vulnerability by properly sanitizing inputs. Users are advised to update immediately to the latest version. For Patchstack users, enabling auto-updates for vulnerable plugins is recommended [1].