MEDIUMCVE-2026-1390CVSS 4.3

Redirect countdown <= 1.0 - 跨站请求伪造 (Cross-Site Request Forgery) 用于设置更新

Q: What is CVE-2026-1390 — XSRF in Redirect countdown WordPress Plugin?

CVE-2026-1390 is a Cross-Site Request Forgery (XSRF) vulnerability in the Redirect countdown WordPress plugin, allowing attackers to modify plugin settings via forged requests.

Q: Am I affected by CVE-2026-1390 in Redirect countdown WordPress Plugin?

If you are using the Redirect countdown plugin in WordPress versions 1.0.0–1.0, you are potentially affected by this vulnerability.

Q: How do I fix CVE-2026-1390 in Redirect countdown WordPress Plugin?

Upgrade to a patched version of the Redirect countdown plugin as soon as it becomes available. Until then, consider disabling the plugin or implementing WAF rules.

Q: Is CVE-2026-1390 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be targeted in the future.

Q: Where can I find the official WordPress advisory for CVE-2026-1390?

Refer to the WordPress security announcements page and the Redirect countdown plugin's official website for updates and advisories related to CVE-2026-1390.

平台

wordpress

组件

redirect-countdown

修复版本

1.0.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-1390 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Redirect countdown plugin for WordPress. This flaw allows unauthenticated attackers to manipulate plugin settings, potentially redirecting users or altering site content. The vulnerability impacts versions 1.0.0 through 1.0. A fix is expected in a future plugin release.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

An attacker exploiting this XSRF vulnerability can leverage forged HTTP requests to modify the Redirect countdown plugin's configuration. This includes altering the redirect URL, countdown timeout, and custom text displayed during redirection. Successful exploitation could lead to phishing attacks, redirection to malicious websites, or defacement of the WordPress site. The impact is amplified if the plugin is widely used and site administrators are routinely tricked into clicking malicious links. This vulnerability highlights the importance of proper nonce validation to prevent unauthorized modifications.

利用背景翻译中…

CVE-2026-1390 was publicly disclosed on 2026-03-21. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the relatively simple nature of XSRF exploitation, it is possible that this vulnerability could be targeted in the future.

哪些人处于风险中翻译中…

WordPress sites utilizing the Redirect countdown plugin are at risk. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as an attacker could potentially exploit the vulnerability on one site to impact others. Site administrators who routinely click on links from untrusted sources are also at increased risk.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r 'countdown_settings_content()' /var/www/html/wp-content/plugins/redirect-countdown/

• generic web:

curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=redirect_countdown_settings_content&nonce=malicious_nonce | grep -i '200 OK'

攻击时间线

2026-03-21Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.01% (2% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 无 — 无机密性影响。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 无 — 无可用性影响。

受影响的软件

组件redirect-countdown

供应商wordfence

影响范围修复版本

0 – 1.01.0.1

软件包信息

活跃安装数: 80
插件评分: 0.0
需要WordPress版本: 6.9+
兼容至: 6.9.1
需要PHP版本: 8.0+

主页

弱点分类 (CWE)

CWE-352

时间线

已保留2026-01-23
发布日期2026-03-21
修改日期2026-04-08
EPSS 更新日期2026-03-28

未修复 — 披露已64天

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-1390 is to upgrade to a patched version of the Redirect countdown plugin once available. Until a patch is released, consider disabling the plugin if it's not essential. Implement strict user access controls and educate administrators about the risks of clicking on suspicious links. Web Application Firewalls (WAFs) configured to detect and block XSRF attacks can provide an additional layer of defense. Regularly review WordPress plugin settings for any unauthorized changes.

修复方法

没有已知的补丁可用。请深入审查漏洞的详细信息，并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-1390 — XSRF in Redirect countdown WordPress Plugin?

CVE-2026-1390 is a Cross-Site Request Forgery (XSRF) vulnerability in the Redirect countdown WordPress plugin, allowing attackers to modify plugin settings via forged requests.

Am I affected by CVE-2026-1390 in Redirect countdown WordPress Plugin?

If you are using the Redirect countdown plugin in WordPress versions 1.0.0–1.0, you are potentially affected by this vulnerability.

How do I fix CVE-2026-1390 in Redirect countdown WordPress Plugin?

Upgrade to a patched version of the Redirect countdown plugin as soon as it becomes available. Until then, consider disabling the plugin or implementing WAF rules.

Is CVE-2026-1390 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be targeted in the future.

Where can I find the official WordPress advisory for CVE-2026-1390?

Refer to the WordPress security announcements page and the Redirect countdown plugin's official website for updates and advisories related to CVE-2026-1390.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE