CVE-2025-2270 Overview
CVE-2025-2270 is a Local File Inclusion (LFI) vulnerability in the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress. The flaw affects all versions up to and including 2.8.9.1 and resides in the createCdObj function. Unauthenticated attackers can include and execute files with specific filenames on the server, enabling execution of arbitrary PHP code contained in those files. Successful exploitation can bypass access controls, expose sensitive data, and in some cases lead to remote code execution on the underlying host [CWE-22].
Critical Impact
Unauthenticated attackers can trigger PHP file inclusion through the createCdObj function, leading to information disclosure and potential code execution on vulnerable WordPress sites.
Affected Products
- WordPress plugin: Countdown, Coming Soon, Maintenance – Countdown & Clock (slug: countdown-builder)
- All plugin versions up to and including 2.8.9.1
- WordPress sites with the vulnerable plugin active and reachable over the network
Discovery Timeline
- 2025-04-04 - CVE-2025-2270 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in the NVD database
Technical Details for CVE-2025-2270
Vulnerability Analysis
The vulnerability is a Local File Inclusion flaw within the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin. The defective logic lives in the createCdObj function, which is reachable without authentication. The function processes attacker-controlled input and uses it to construct a file path that is subsequently included by the PHP interpreter. Because the input is not constrained to a safe allowlist of templates, an attacker can direct the include statement to other PHP files already present on the server. Any PHP file the web server can read is executed in the WordPress process context, inheriting database access and filesystem permissions.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory, classified as [CWE-22]. The createCdObj function accepts a parameter that influences the include path without sanitizing path traversal sequences or enforcing an allowlist of permitted files. Attackers can reference files outside the intended template directory.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the WordPress endpoint that invokes createCdObj and supplies a filename pointing to a PHP file already present on the host. The web server executes the contents of the targeted file. The high attack complexity reflects the requirement that the target file exist on the server with a specific filename and be reachable from the include path.
No verified public exploit code is available. See the WordPress Plugin Code Review and the Wordfence Vulnerability Report for technical details on the affected code path.
Detection Methods for CVE-2025-2270
Indicators of Compromise
- Unexpected HTTP requests to WordPress endpoints that invoke the createCdObj function with file or template parameters
- Path traversal sequences such as ../ or absolute paths in plugin query parameters and POST bodies
- PHP error log entries referencing failed include or require calls originating from the countdown-builder plugin directory
- Outbound connections or new PHP files appearing in wp-content/uploads/ following inbound requests to the plugin
Detection Strategies
- Inspect web server access logs for requests targeting the countdown-builder plugin with anomalous file-path parameters
- Deploy WordPress-aware web application firewall rules that block path traversal patterns against plugin endpoints
- Correlate web requests with PHP include events using endpoint and SIEM telemetry to identify unauthorized file execution
Monitoring Recommendations
- Monitor the wp-content/plugins/countdown-builder/ directory for modification of PHP files or unexpected file creation
- Alert on PHP processes spawning shells, network utilities, or other unusual child processes from the web server account
- Track repeated 4xx and 5xx responses on plugin endpoints, which often indicate enumeration of valid include paths
How to Mitigate CVE-2025-2270
Immediate Actions Required
- Update the Countdown, Coming Soon, Maintenance – Countdown & Clock plugin to a version newer than 2.8.9.1 once the vendor releases a patched build
- Deactivate and remove the plugin from WordPress installations where an update is not yet available
- Audit the WordPress filesystem for unauthorized PHP files, modified plugin files, or new administrator accounts
Patch Information
Review the Wordfence Vulnerability Report for the latest fixed version information. Verify the patched version against the WordPress Plugin Code Review for the createCdObj function before redeploying.
Workarounds
- Restrict access to plugin endpoints at the web server or WAF layer using IP allowlists for administrative paths
- Block requests containing path traversal sequences such as ../ or ..%2f directed at WordPress plugin handlers
- Apply PHP open_basedir restrictions to limit which directories the web server process can include
# Example nginx rule to block path traversal against the vulnerable plugin
location ~* /wp-content/plugins/countdown-builder/ {
if ($args ~* "\.\./|\.\.%2f") {
return 403;
}
}
# Example php.ini hardening
open_basedir = "/var/www/html:/tmp"
allow_url_include = Off
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
