Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Redirect Countdown Plugin for WordPress Allows Unauthenticated Setting Changes
CVE-2026-1390
Summary
The Redirect Countdown plugin for WordPress is vulnerable to attacks that can let hackers change plugin settings without permission. This could allow them to change the countdown timer, where it redirects to, or what text is shown. To fix this, update to the latest version or uninstall the plugin if you're not using it.
Original title
The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `countdown_settings...
Original description
The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `countdown_settings_content()` function. This makes it possible for unauthenticated attackers to update the plugin settings including the countdown timeout, redirect URL, and custom text, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
nvd CVSS3.1
4.3
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026