CVE-2023-2757

Name of the Vulnerable Software and Affected Versions The Waiting: One-click countdowns plugin for WordPress versions up to, and including, 0.6.2

Description The issue is related to authorization bypass due to a missing capability check on saveLang functions. This could lead to Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing subscriber-level attackers to access functions and save plugin data. This can potentially lead to injecting arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations For versions up to, and including, 0.6.2, consider disabling the saveLang functions until a patch is available to prevent unauthorized access and potential Cross-Site Scripting attacks. Restrict access to plugin data saving functions to minimize the risk of exploitation. Avoid using the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.