CVE-2025-11880: 
WordPress vulnerability analysis and mitigation

The SM CountDown Widget plugin for WordPress (CVE-2025-11880) was identified with a Stored Cross-Site Scripting vulnerability in versions 1.2 and earlier. The vulnerability was discovered and disclosed on October 21, 2025, affecting the plugin's smcountdown shortcode functionality (NVD NIST, Wordfence Intel).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the smcountdown shortcode. It has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD NIST).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user interactions (NVD NIST).

Users are advised to update their SM CountDown Widget plugin to versions newer than 1.2 if available. No specific workarounds have been publicly documented for those unable to update immediately (NVD NIST).