Plattform
wordpress
Komponente
countdown-builder
Behoben in
2.8.10
CVE-2025-2270 describes a Local File Inclusion (LFI) vulnerability affecting the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to code execution and sensitive data exposure. The vulnerability impacts versions 0.0.0 through 2.8.9.1, and a fix is available in version 2.8.10.
The impact of this LFI vulnerability is significant. An attacker can leverage it to execute arbitrary PHP code on the web server, effectively gaining control over the WordPress instance. This could involve reading sensitive configuration files, modifying database content, injecting malicious code into other plugins or themes, or even achieving remote code execution (RCE) if the attacker can upload a malicious PHP file. The ability to execute arbitrary code bypasses standard access controls, making it a particularly dangerous vulnerability. Successful exploitation could lead to complete website defacement, data breaches, and potential compromise of the underlying server.
CVE-2025-2270 was publicly disclosed on 2025-04-04. While no public proof-of-concept (PoC) code has been widely reported, the LFI nature of the vulnerability makes it relatively straightforward to exploit. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact. Monitor WordPress security forums and vulnerability databases for any emerging exploitation attempts.
Websites utilizing the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin, particularly those running older, unpatched versions (0.0.0–2.8.9.1), are at significant risk. Shared hosting environments where WordPress installations have limited access controls are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'createCdObj' /var/www/html/wp-content/plugins/countdown-coming-soon-maintenance-countdown-clock/• wordpress / composer / npm:
wp plugin list | grep 'Countdown, Coming Soon, Maintenance'• wordpress / composer / npm:
wp plugin update countdown-coming-soon-maintenance-countdown-clockdisclosure
Exploit-Status
EPSS
0.65% (71% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-2270 is to immediately upgrade the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin to version 2.8.10 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the vulnerable plugin's directory. While not a complete solution, this can limit the attacker’s ability to execute arbitrary code. Additionally, review server configurations to ensure proper file permissions and restrict PHP execution in the plugin’s directory. After upgrading, verify the fix by attempting to access the vulnerable endpoint with a known malicious filename; the server should return an error instead of executing the file.
Actualice el plugin Countdown, Coming Soon, Maintenance – Countdown & Clock a la versión 2.8.10 o superior para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique que su instalación de WordPress esté actualizada y que tenga las últimas medidas de seguridad implementadas. Considere utilizar un plugin de seguridad de WordPress para una protección adicional.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-2270 is a Local File Inclusion vulnerability in the Countdown plugin for WordPress, allowing attackers to potentially execute arbitrary code. It affects versions 0.0.0–2.8.9.1.
If you are using the Countdown plugin in WordPress versions 0.0.0 through 2.8.9.1, you are potentially affected by this vulnerability.
Upgrade the Countdown plugin to version 2.8.10 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
While active exploitation has not been confirmed, the vulnerability's ease of exploitation suggests a potential risk of exploitation.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.