Platform
wordpress
Component
redirect-countdown
Opgelost in
1.0.1
CVE-2026-1390 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Redirect countdown plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings, potentially redirecting users or altering site content. The vulnerability impacts versions 1.0.0 through 1.0. A fix is expected in a future plugin release.
An attacker exploiting this XSRF vulnerability can leverage forged HTTP requests to modify the Redirect countdown plugin's configuration. This includes altering the redirect URL, countdown timeout, and custom text displayed during redirection. Successful exploitation could lead to phishing attacks, redirection to malicious websites, or defacement of the WordPress site. The impact is amplified if the plugin is widely used and site administrators are routinely tricked into clicking malicious links. This vulnerability highlights the importance of proper nonce validation to prevent unauthorized modifications.
CVE-2026-1390 was publicly disclosed on 2026-03-21. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the relatively simple nature of XSRF exploitation, it is possible that this vulnerability could be targeted in the future.
WordPress sites utilizing the Redirect countdown plugin are at risk. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as an attacker could potentially exploit the vulnerability on one site to impact others. Site administrators who routinely click on links from untrusted sources are also at increased risk.
• wordpress / composer / npm:
grep -r 'countdown_settings_content()' /var/www/html/wp-content/plugins/redirect-countdown/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=redirect_countdown_settings_content&nonce=malicious_nonce | grep -i '200 OK'disclosure
Exploit Status
EPSS
0.01% (2% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-1390 is to upgrade to a patched version of the Redirect countdown plugin once available. Until a patch is released, consider disabling the plugin if it's not essential. Implement strict user access controls and educate administrators about the risks of clicking on suspicious links. Web Application Firewalls (WAFs) configured to detect and block XSRF attacks can provide an additional layer of defense. Regularly review WordPress plugin settings for any unauthorized changes.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1390 is a Cross-Site Request Forgery (XSRF) vulnerability in the Redirect countdown WordPress plugin, allowing attackers to modify plugin settings via forged requests.
If you are using the Redirect countdown plugin in WordPress versions 1.0.0–1.0, you are potentially affected by this vulnerability.
Upgrade to a patched version of the Redirect countdown plugin as soon as it becomes available. Until then, consider disabling the plugin or implementing WAF rules.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be targeted in the future.
Refer to the WordPress security announcements page and the Redirect countdown plugin's official website for updates and advisories related to CVE-2026-1390.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.