प्लेटफ़ॉर्म
wordpress
घटक
countdown-builder
में ठीक किया गया
2.8.10
CVE-2025-2270 describes a Local File Inclusion (LFI) vulnerability affecting the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to code execution and sensitive data exposure. The vulnerability impacts versions 0.0.0 through 2.8.9.1, and a fix is available in version 2.8.10.
The LFI vulnerability in the Countdown plugin allows an attacker to execute arbitrary PHP code on the server. By manipulating the createCdObj function, an attacker can specify a file path to include, effectively reading and potentially executing any file accessible to the webserver user. This could lead to the disclosure of sensitive configuration files, database credentials, or even the complete takeover of the WordPress site. The impact is significant as it allows for code execution without authentication, enabling attackers to bypass access controls and escalate privileges. A successful exploit could result in data breaches, website defacement, and complete system compromise.
CVE-2025-2270 has been publicly disclosed and a proof-of-concept is likely to emerge. The vulnerability's ease of exploitation and the popularity of the Countdown plugin suggest a moderate risk of active exploitation. It was published on 2025-04-04. The CVSS score of 8.1 (HIGH) reflects the potential for significant impact.
Websites utilizing the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin, particularly those running older, unpatched versions (0.0.0–2.8.9.1), are at significant risk. Shared hosting environments where WordPress installations have limited access controls are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'createCdObj' /var/www/html/wp-content/plugins/countdown-coming-soon-maintenance-countdown-clock/• wordpress / composer / npm:
wp plugin list | grep 'Countdown, Coming Soon, Maintenance'• wordpress / composer / npm:
wp plugin update countdown-coming-soon-maintenance-countdown-clockdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.65% (71% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-2270 is to immediately upgrade the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin to version 2.8.10 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file paths in the createCdObj parameter. Additionally, restrict file permissions on the WordPress server to minimize the potential impact of a successful exploit. After upgrading, verify the fix by attempting to access a non-existent file through the vulnerable parameter; the server should return a 404 error instead of including the file.
Actualice el plugin Countdown, Coming Soon, Maintenance – Countdown & Clock a la versión 2.8.10 o superior para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique que su instalación de WordPress esté actualizada y que tenga las últimas medidas de seguridad implementadas. Considere utilizar un plugin de seguridad de WordPress para una protección adicional.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-2270 is a Local File Inclusion vulnerability in the Countdown plugin for WordPress, allowing attackers to potentially execute arbitrary code. It affects versions 0.0.0–2.8.9.1.
If you are using the Countdown plugin in WordPress versions 0.0.0 through 2.8.9.1, you are potentially affected by this vulnerability.
Upgrade the Countdown plugin to version 2.8.10 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
While active exploitation has not been confirmed, the vulnerability's ease of exploitation suggests a potential risk of exploitation.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।