Cross-site Scripting Vulnerability in bPlugins Countdown Timer
CVE-2025-26938

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Countdown Timer
Vendor: CVE Published:; 25 February 2025

What is CVE-2025-26938?

The bPlugins Countdown Timer plugin is susceptible to a Cross-site Scripting (XSS) vulnerability, allowing attackers to exploit improper input handling during web page generation. This stored XSS issue can lead to unauthorized actions on behalf of users, making it critical for website administrators to implement recommended security patches and updates to safeguard user data and maintain web integrity.

Affected Version(s)

Countdown Timer <= 1.2.6

References

https://patchstack.com/database/wordpress/plugin/countdow...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Feb 17, 2025

Credit

Logan Cote (Patchstack Alliance)