CVE-2025-68054

The CountDown With Image or Video Background plugin for WordPress versions through 1.5 contains a blind SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This flaw exists in the countdown_with_background component, allowing an attacker to inject arbitrary SQL queries.

Exploitation does not require authentication and can be performed over the network. The blind nature of the injection means an attacker can infer information from the database by observing differences in application responses. This attack vector is commonly used in mass-exploit campaigns targeting WordPress sites [1].

Successful exploitation could allow an attacker to retrieve sensitive data from the database, such as user credentials or other confidential information. The CVSS score of 8.5 (High) reflects the potential for significant impact on confidentiality [1].

The vulnerability affects all versions up to and including 1.5. Users are strongly advised to update the plugin to a patched version as soon as possible. If immediate updating is not feasible, temporary measures such as disabling the plugin or consulting with a web hosting provider are recommended [1].