CVE-2025-8445: 
WordPress vulnerability analysis and mitigation

The Countdown Timer for Elementor plugin for WordPress (versions up to 1.3.9) was identified with a Stored Cross-Site Scripting vulnerability, tracked as CVE-2025-8445. The vulnerability was discovered by researcher zer0gh0st and publicly disclosed on September 10, 2025. The issue specifically involves the 'countdown_label' parameter, which lacks proper input sanitization and output escaping (NVD, Wordfence Intel).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.4 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, required low privileges, no user interaction, and potential for some confidentiality and integrity impacts (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user interactions (NVD).

Users should upgrade their Countdown Timer for Elementor plugin to a version newer than 1.3.9 once available. Until then, it is recommended to restrict access to the Countdown Timer functionality to trusted users only (Wordfence Intel).