Platform
wordpress
Component
countdown-builder
Fixed in
2.8.10
CVE-2025-2270 describes a Local File Inclusion (LFI) vulnerability affecting the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to code execution and sensitive data exposure. The vulnerability impacts versions 0.0.0 through 2.8.9.1, and a fix is available in version 2.8.10.
The LFI vulnerability in the Countdown plugin allows an attacker to execute arbitrary PHP code on the server. By manipulating the createCdObj function, an attacker can specify a file path to include, effectively reading and potentially executing any file accessible to the webserver user. This could lead to the disclosure of sensitive configuration files, database credentials, or even the complete takeover of the WordPress site. The impact is significant as it allows for code execution without authentication, enabling attackers to bypass access controls and escalate privileges. A successful exploit could result in data breaches, website defacement, and complete system compromise.
CVE-2025-2270 has been publicly disclosed and a proof-of-concept is likely to emerge. The vulnerability's ease of exploitation and the popularity of the Countdown plugin suggest a moderate risk of active exploitation. It was published on 2025-04-04. The CVSS score of 8.1 (HIGH) reflects the potential for significant impact.
Exploit Status
EPSS
0.65% (71% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2270 is to immediately upgrade the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin to version 2.8.10 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file paths in the createCdObj parameter. Additionally, restrict file permissions on the WordPress server to minimize the potential impact of a successful exploit. After upgrading, verify the fix by attempting to access a non-existent file through the vulnerable parameter; the server should return a 404 error instead of including the file.
Actualice el plugin Countdown, Coming Soon, Maintenance – Countdown & Clock a la versión 2.8.10 o superior para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique que su instalación de WordPress esté actualizada y que tenga las últimas medidas de seguridad implementadas. Considere utilizar un plugin de seguridad de WordPress para una protección adicional.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2270 is a Local File Inclusion vulnerability in the Countdown plugin for WordPress, allowing attackers to potentially execute arbitrary code. It affects versions 0.0.0–2.8.9.1.
If you are using the Countdown plugin in WordPress versions 0.0.0 through 2.8.9.1, you are potentially affected by this vulnerability.
Upgrade the Countdown plugin to version 2.8.10 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
While active exploitation has not been confirmed, the vulnerability's ease of exploitation suggests a potential risk of exploitation.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.