CVE-2025-22822: 
WordPress vulnerability analysis and mitigation

The wp custom countdown WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.8, identified as CVE-2025-22822. The vulnerability was discovered by researcher 0xd4rk5id3 and publicly disclosed on January 7, 2025. This security issue affects authenticated users with contributor-level access or above (Patchstack, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the wp custom countdown plugin. This allows authenticated attackers with contributor-level privileges to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (Patchstack).

When exploited, this vulnerability allows attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will execute when visitors access the affected pages. The vulnerability impacts the confidentiality, integrity, and availability of the affected websites (Patchstack).

Currently, there is no official fix available for this vulnerability. The latest affected version is 2.8, and no patched version has been released (Patchstack).