CVE-2026-1390 in Redirect Countdown Plugin
Summary
by MITRE • 03/21/2026
The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `countdown_settings_content()` function. This makes it possible for unauthenticated attackers to update the plugin settings including the countdown timeout, redirect URL, and custom text, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The Redirect countdown plugin for WordPress presents a critical cross-site request forgery vulnerability that affects all versions up to and including 1.0. This vulnerability stems from the absence of proper nonce validation within the countdown_settings_content() function, creating a significant security gap that adversaries can exploit to manipulate plugin configurations without authentication. The flaw represents a direct violation of web application security principles that require proper request validation and authentication checks before processing sensitive operations.
The technical implementation of this vulnerability allows attackers to craft malicious requests that modify critical plugin settings including countdown timeout values, redirect URL destinations, and custom text configurations. The missing nonce validation means that any request sent to the countdown_settings_content() function can be executed without proper authorization, as the system fails to verify that the request originates from a legitimate administrative session. This creates a scenario where an attacker can manipulate the plugin behavior to redirect users to malicious sites or display inappropriate content, potentially leading to further exploitation or phishing attacks.
The operational impact of this vulnerability extends beyond simple configuration changes, as it provides attackers with the capability to manipulate user experience and potentially redirect traffic to malicious destinations. When an administrator performs actions such as clicking on a malicious link or visiting a compromised website, the forged request can silently update plugin settings, making the attack vector particularly insidious. The vulnerability is classified under CWE-352, which specifically addresses cross-site request forgery issues in web applications, and aligns with ATT&CK technique T1213.002 for credential access through web application attacks.
Organizations using this plugin face significant risk of unauthorized configuration changes that could compromise user security and trust. The vulnerability can be exploited in various attack scenarios including social engineering campaigns where administrators are tricked into clicking malicious links, or through compromised websites that embed the forged requests. The lack of authentication verification makes this attack particularly dangerous as it requires no prior credentials or access privileges. Security teams should prioritize immediate patching or mitigation strategies, as the vulnerability exists in all versions up to the affected release, and the attack surface remains constant across all affected installations.
Mitigation strategies should include immediate implementation of nonce validation in the countdown_settings_content() function, proper authentication checks for all administrative operations, and regular security auditing of WordPress plugins. The plugin developers must implement proper request verification mechanisms that ensure all administrative actions originate from legitimate authenticated sessions. Additionally, administrators should consider implementing additional security measures such as web application firewalls, monitoring for suspicious administrative activities, and user education to prevent social engineering attacks that could exploit this vulnerability. The vulnerability demonstrates the critical importance of proper input validation and authentication mechanisms in web applications, particularly for plugins that handle user-facing content and redirection behaviors.