CVE-2025-69348

The Events Calendar Countdown Addon <= 1.4.15 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.4.16
Patched in
9d
Time to patch

Description

The The Events Calendar Countdown Addon plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.4.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.15
PublishedJanuary 6, 2026
Last updatedJanuary 14, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

As the source code for the **The Events Calendar Countdown Addon** plugin is not provided, this research plan is designed to first identify the specific vulnerable endpoint using automated discovery and then execute the exploit. ## 1. Vulnerability Summary The "The Events Calendar Countdown Addon" …

Show full research plan

As the source code for the The Events Calendar Countdown Addon plugin is not provided, this research plan is designed to first identify the specific vulnerable endpoint using automated discovery and then execute the exploit.

1. Vulnerability Summary

The "The Events Calendar Countdown Addon" plugin (up to 1.4.15) contains a missing authorization vulnerability. An AJAX handler (likely registered with wp_ajax_) fails to perform a capability check (e.g., current_user_can( 'manage_options' )) before executing a privileged action. This allows any authenticated user, including those with Subscriber privileges, to invoke the function. The "unauthorized action" typically involves modifying plugin settings, updating countdown configurations, or potentially altering database options.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: (Inferred) An AJAX action such as ecc_save_settings, ect_save_data, or countdown_update_options.
  • Payload Parameters: action=[ACTION_NAME], _ajax_nonce (if applicable), and various setting fields (e.g., countdown_date, countdown_text).
  • Authentication: Subscriber-level credentials (subscriber / subscriber).
  • Precondition: The plugin must be active.

3. Code Flow (Discovery Phase)

Since source files are absent, the first task is to locate the vulnerable hook.

  1. Entry Point Identification:
    Search for AJAX registrations in the plugin directory:
    grep -rn "add_action.*wp_ajax_" /var/www/html/wp-content/plugins/countdown-for-the-events-calendar/
  2. Authorization Audit:
    For each identified action, locate the callback function and check for:
    • Lack of current_user_can(...).
    • Presence of check_ajax_referer(...) or wp_verify_nonce(...).
  3. Trace Sink:
    Examine the callback to see if it calls update_option(), update_post_meta(), or direct $wpdb queries.

4. Nonce Acquisition Strategy

If the identified handler uses check_ajax_referer, we must extract the nonce.

  1. Identify Nonce Location:
    Search for wp_localize_script or wp_create_nonce in the plugin:
    grep -rn "wp_create_nonce" /var/www/html/wp-content/plugins/countdown-for-the-events-calendar/
  2. Determine Visibility:
    Nonces used in wp_ajax_ handlers are often localized to scripts loaded in the WordPress dashboard. Since Subscribers can access /wp-admin/profile.php, they can often leak these nonces.
  3. Extraction:
    • Navigate to /wp-admin/profile.php as a Subscriber.
    • Use browser_eval to find the localization object.
    • Likely Variable (Inferred): window.ecc_obj?.nonce or window.ect_admin?.ajax_nonce.

5. Exploitation Strategy

Once the action and nonce are identified, follow these steps:

  1. Authenticate: Log in as subscriber.
  2. Identify Target Setting: Determine which option the plugin controls (e.g., ecc_countdown_settings).
  3. Craft Request:
    Construct a POST request to admin-ajax.php.
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost:8080
    Content-Type: application/x-www-form-urlencoded
    Cookie: [Subscriber Cookies]
    
    action=[IDENTIFIED_ACTION]&nonce=[EXTRACTED_NONCE]&target_option_key=malicious_value
    
  4. Execute: Use the http_request tool to send the payload.

6. Test Data Setup

  1. Install Plugin: Ensure countdown-for-the-events-calendar version 1.4.15 is installed.
  2. Create User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=subscriber
  3. Configure Initial State: Create a dummy countdown or save initial settings to have a baseline for comparison.
    wp option get [PLUGIN_OPTION_NAME]

7. Expected Results

  • Response: The server returns a successful response (likely 1, true, or a JSON success message).
  • State Change: The plugin's configuration or a global WordPress option is updated to the value provided in the Subscriber's request.

8. Verification Steps

  1. Verify via CLI:
    Check the database for the updated value:
    wp option get [PLUGIN_OPTION_NAME]
  2. Confirm Lack of Auth:
    Verify the code at the identified file/line:
    sed -n '[LINE_START],[LINE_END]p' [FILE_PATH]
    Confirm that current_user_can is indeed missing from the function body.

9. Alternative Approaches

If the plugin does not use wp_ajax_, check for:

  • Admin Init Hooks: add_action( 'admin_init', ... ) functions often process $_POST data and run on every admin page load (including admin-ajax.php) without proper authorization checks.
  • REST API:
    grep -rn "register_rest_route" /var/www/html/wp-content/plugins/countdown-for-the-events-calendar/
    Check if the permission_callback returns true or is missing.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Events Calendar Countdown Addon for WordPress (up to 1.4.15) is vulnerable to missing authorization in its AJAX handlers. This allows authenticated attackers with Subscriber-level privileges or higher to perform unauthorized actions, such as modifying plugin settings, because the server fails to verify user capabilities before executing privileged tasks.

Exploit Outline

To exploit this vulnerability, an attacker first authenticates as a Subscriber-level user. They then extract a valid AJAX nonce, which is typically exposed in the WordPress dashboard via localized scripts (e.g., in window.ect_admin or similar objects). With the nonce, the attacker sends a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the plugin's vulnerable handler (such as 'ect_save_data') and includes the desired malicious configuration parameters in the payload. Since the plugin lacks a current_user_can() check, the request is processed as if it came from an administrator.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.