Platform
wordpress
Component
redirect-countdown
Fixed in
1.0.1
CVE-2026-1390 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Redirect countdown plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings, potentially redirecting users or altering site content. The vulnerability impacts versions 1.0.0 through 1.0. A fix is expected in a future plugin release.
An attacker exploiting this XSRF vulnerability can leverage forged HTTP requests to modify the Redirect countdown plugin's configuration. This includes altering the redirect URL, countdown timeout, and custom text displayed during redirection. Successful exploitation could lead to phishing attacks, redirection to malicious websites, or defacement of the WordPress site. The impact is amplified if the plugin is widely used and site administrators are routinely tricked into clicking malicious links. This vulnerability highlights the importance of proper nonce validation to prevent unauthorized modifications.
CVE-2026-1390 was publicly disclosed on 2026-03-21. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the relatively simple nature of XSRF exploitation, it is possible that this vulnerability could be targeted in the future.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1390 is to upgrade to a patched version of the Redirect countdown plugin once available. Until a patch is released, consider disabling the plugin if it's not essential. Implement strict user access controls and educate administrators about the risks of clicking on suspicious links. Web Application Firewalls (WAFs) configured to detect and block XSRF attacks can provide an additional layer of defense. Regularly review WordPress plugin settings for any unauthorized changes.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1390 is a Cross-Site Request Forgery (XSRF) vulnerability in the Redirect countdown WordPress plugin, allowing attackers to modify plugin settings via forged requests.
If you are using the Redirect countdown plugin in WordPress versions 1.0.0–1.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Redirect countdown plugin as soon as it becomes available. Until then, consider disabling the plugin or implementing WAF rules.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be targeted in the future.
Refer to the WordPress security announcements page and the Redirect countdown plugin's official website for updates and advisories related to CVE-2026-1390.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.