CVE-2025-2270

Name of the Vulnerable Software and Affected Versions Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress versions up to, and including, 2.8.9.1

Description The issue allows unauthenticated attackers to include and execute files with specific filenames on the server, enabling the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in some cases. The createCdObj function is vulnerable to Local File Inclusion.

Recommendations For versions up to, and including, 2.8.9.1, consider disabling the createCdObj function until a patch is available to prevent exploitation. Restrict access to sensitive files on the server to minimize the risk of unauthorized access.