Vulnerabilities and security researches forwidget-countdown widget-countdown

Jan 26, 2025

CVE, Research URL: CVE-2025-24719
Home page URL: Security reports for Countdown Timer – Widget Countdown
Application: Countdown Timer – Widget Countdown
Date: Jan 24, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Widget Countdown allows Stored XSS. This issue affects Widget Countdown: from n/a through 2.7.1.
Affected versions: max 2.7.2.
Status: vulnerable

May 09, 2025

CVE, Research URL: CVE-2025-47443
Home page URL: Security reports for Countdown Timer – Widget Countdown
Application: Countdown Timer – Widget Countdown
Date: May 07, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Widget Countdown allows Stored XSS. This issue affects Widget Countdown: from n/a through 2.7.4.
Affected versions: max 2.7.5.
Status: vulnerable

Jan 27, 2026

CVE, Research URL: CVE-2025-14555
Home page URL: Security reports for Countdown Timer – Widget Countdown
Application: Countdown Timer – Widget Countdown
Date: Jan 10, 2026
Research Description: The Countdown Timer – Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.7.8.
Status: vulnerable