CVE-2024-2017
📋 TL;DR
This vulnerability in the WordPress Countdown & Clock plugin allows authenticated attackers with subscriber-level access or higher to inject PHP objects and modify countdown statuses. It affects all plugin versions up to 2.7.8 due to missing capability checks in two functions. WordPress sites using this plugin are vulnerable if they have any registered users.
💻 Affected Systems
- Countdown, Coming Soon, Maintenance – Countdown & Clock WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could achieve remote code execution by injecting malicious PHP objects, potentially leading to complete site compromise, data theft, or malware installation.
Likely Case
Attackers modify countdown settings or inject limited PHP objects to disrupt site functionality or gain elevated privileges.
If Mitigated
With proper user access controls and monitoring, impact is limited to unauthorized countdown modifications.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. PHP object injection can lead to various secondary attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.9
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3097588/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Countdown, Coming Soon, Maintenance – Countdown & Clock'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.7.9+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate countdown-builder
Restrict user registration
allDisable new user registrations to limit attack surface
Settings → General → Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict user access controls and monitor subscriber-level accounts
- Deploy web application firewall rules to block requests to vulnerable Ajax endpoints
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 2.7.8 or lower, you are vulnerable.Check Version:
wp plugin get countdown-builder --field=versionVerify Fix Applied:
Verify plugin version is 2.7.9 or higher. Test authenticated user access to countdown modification functions.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=conditionsRow or action=switchCountdown from subscriber accounts
- PHP object injection attempts in request parameters
Network Indicators:
- HTTP requests to vulnerable Ajax endpoints from authenticated sessions
- Unexpected countdown status changes
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND (param_action="conditionsRow" OR param_action="switchCountdown"))🔗 References
- https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L51
- https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L92
- https://plugins.trac.wordpress.org/changeset/3096150/
- https://plugins.trac.wordpress.org/changeset/3097588/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fab229-cd6b-45a3-9e80-a03a1704ad3e?source=cve
- https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L51
- https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L92
- https://plugins.trac.wordpress.org/changeset/3096150/
- https://plugins.trac.wordpress.org/changeset/3097588/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fab229-cd6b-45a3-9e80-a03a1704ad3e?source=cve
