プラットフォーム
wordpress
コンポーネント
redirect-countdown
修正版
1.0.1
CVE-2026-1390 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Redirect countdown plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings, potentially redirecting users or altering site content. The vulnerability impacts versions 1.0.0 through 1.0. A fix is expected in a future plugin release.
An attacker exploiting this XSRF vulnerability can leverage forged HTTP requests to modify the Redirect countdown plugin's configuration. This includes altering the redirect URL, countdown timeout, and custom text displayed during redirection. Successful exploitation could lead to phishing attacks, redirection to malicious websites, or defacement of the WordPress site. The impact is amplified if the plugin is widely used and site administrators are routinely tricked into clicking malicious links. This vulnerability highlights the importance of proper nonce validation to prevent unauthorized modifications.
CVE-2026-1390 was publicly disclosed on 2026-03-21. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the relatively simple nature of XSRF exploitation, it is possible that this vulnerability could be targeted in the future.
WordPress sites utilizing the Redirect countdown plugin are at risk. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as an attacker could potentially exploit the vulnerability on one site to impact others. Site administrators who routinely click on links from untrusted sources are also at increased risk.
• wordpress / composer / npm:
grep -r 'countdown_settings_content()' /var/www/html/wp-content/plugins/redirect-countdown/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=redirect_countdown_settings_content&nonce=malicious_nonce | grep -i '200 OK'disclosure
エクスプロイト状況
EPSS
0.01% (2% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-1390 is to upgrade to a patched version of the Redirect countdown plugin once available. Until a patch is released, consider disabling the plugin if it's not essential. Implement strict user access controls and educate administrators about the risks of clicking on suspicious links. Web Application Firewalls (WAFs) configured to detect and block XSRF attacks can provide an additional layer of defense. Regularly review WordPress plugin settings for any unauthorized changes.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-1390 is a Cross-Site Request Forgery (XSRF) vulnerability in the Redirect countdown WordPress plugin, allowing attackers to modify plugin settings via forged requests.
If you are using the Redirect countdown plugin in WordPress versions 1.0.0–1.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Redirect countdown plugin as soon as it becomes available. Until then, consider disabling the plugin or implementing WAF rules.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be targeted in the future.
Refer to the WordPress security announcements page and the Redirect countdown plugin's official website for updates and advisories related to CVE-2026-1390.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。