CVE-2024-10669: 
WordPress vulnerability analysis and mitigation

The Countdown Timer block plugin for WordPress contains an Information Exposure vulnerability (CVE-2024-10669) affecting all versions up to and including 1.2.4. The vulnerability exists in the [ctb] shortcode functionality due to insufficient restrictions on post access controls (Wordfence).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The weakness has been classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability allows authenticated attackers with Contributor-level access or higher to bypass access restrictions and extract data from password protected, private, or draft posts that they should not have access to (NVD).

When exploited, this vulnerability allows authenticated users with Contributor-level privileges or higher to access and extract sensitive content from password-protected posts, private posts, and draft posts that should be restricted from their access level (NVD).

Users are advised to update to version 1.2.5 or later of the Countdown Timer block plugin which contains fixes for this vulnerability (WordPress Plugin).