Platform
wordpress
Component
countdown-builder
Opgelost in
2.8.9
CVE-2025-30841 describes a Remote Code Execution (RCE) vulnerability within the Countdown & Clock WordPress plugin. This flaw, stemming from improper path limitation, allows attackers to execute arbitrary code on vulnerable systems through Remote Code Inclusion. The vulnerability impacts versions from 0.0.0 up to and including 2.8.8. A patch is available in version 2.8.9.
The impact of CVE-2025-30841 is severe. An attacker exploiting this vulnerability can achieve Remote Code Inclusion (RCI), effectively gaining control over the web server hosting the vulnerable WordPress site. This could involve uploading and executing malicious PHP scripts, leading to complete system compromise. Data at risk includes sensitive user information stored in the WordPress database, website files, and potentially access to other systems on the same network if the server is not properly segmented. The blast radius extends to any user accessing the compromised website, as attackers could inject malicious content or redirect users to phishing sites.
CVE-2025-30841 was publicly disclosed on 2025-04-01. The vulnerability's severity is rated as CRITICAL (CVSS 9.9). Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation associated with path traversal vulnerabilities. The potential for widespread exploitation is high, particularly given the popularity of the Countdown & Clock plugin. It is not currently listed on CISA KEV.
Websites utilizing the Countdown & Clock plugin, particularly those running older, unpatched versions (0.0.0–2.8.8), are at significant risk. Shared hosting environments are especially vulnerable, as a compromise of one website can potentially impact others on the same server. Sites relying on the plugin for critical countdown timers or promotional campaigns are also at higher risk due to the potential for disruption and data theft.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/countdown-builder/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/countdown-builder/../../../../etc/passwd'• wordpress / composer / npm:
wp plugin list --status=inactive | grep countdown-builderdisclosure
Exploit Status
EPSS
0.40% (61% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-30841 is to immediately upgrade the Countdown & Clock plugin to version 2.8.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's file upload functionality. Web Application Firewall (WAF) rules can be implemented to filter out suspicious file upload requests containing path traversal sequences (e.g., ../). Monitor WordPress access logs for unusual file access patterns or attempts to access files outside the plugin's designated directory. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via the plugin's file upload mechanism; the request should be denied.
Werk de Countdown & Clock plugin bij naar de laatste beschikbare versie om de directory traversal kwetsbaarheid te mitigeren. Controleer op beschikbare updates in de WordPress repository of op de website van de ontwikkelaar. Zorg ervoor dat u een volledige back-up van uw website maakt voordat u updates toepast.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-30841 is a critical Remote Code Execution vulnerability in the Countdown & Clock WordPress plugin, allowing attackers to execute arbitrary code via path traversal.
You are affected if you are using Countdown & Clock versions 0.0.0 through 2.8.8. Check your plugin version and update immediately.
Upgrade the Countdown & Clock plugin to version 2.8.9 or later to patch the vulnerability. If immediate upgrade is not possible, implement temporary restrictions on file uploads.
While no active exploitation has been confirmed, the ease of exploitation suggests a high probability of exploitation in the near future.
Refer to the official Countdown & Clock plugin website or WordPress plugin repository for the latest security advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.