CVE-2025-12665 identifies a missing authorization vulnerability (CWE-862) in the Ninja Countdown | Fastest Countdown Builder plugin for WordPress, affecting all versions up to 1.5.0. The vulnerability exists because the plugin's AJAX endpoint 'ninja_countdown_admin_ajax' does not enforce proper capability checks, allowing any authenticated user with Subscriber-level privileges or higher to invoke administrative AJAX actions without sufficient authorization. This flaw enables such users to delete arbitrary countdown timers created by other users or administrators, leading to unauthorized data loss. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3, reflecting a medium severity due to the need for authenticated access and the limited impact confined to integrity loss without affecting confidentiality or availability. No patches or known exploits have been reported as of the publication date. This vulnerability highlights the importance of enforcing strict authorization checks on all administrative AJAX endpoints in WordPress plugins, especially those that modify or delete content. Organizations using this plugin should audit user roles and permissions, restrict Subscriber-level users from accessing administrative AJAX endpoints, and monitor logs for unusual deletion activity until a security update is released.

The primary impact of this vulnerability is unauthorized modification of data integrity, specifically the deletion of countdown timers within the Ninja Countdown plugin. For organizations relying on countdown timers for marketing campaigns, sales events, or user engagement, this could disrupt business operations and user experience. Although the vulnerability does not expose confidential information or cause denial of service, the loss of countdown data could lead to operational confusion, loss of trust, and potential revenue impact. Since exploitation requires only Subscriber-level authentication, any compromised or malicious low-privilege user account could trigger the attack, increasing the risk in environments with many registered users or weak account controls. The scope is limited to WordPress sites using this specific plugin, but given WordPress's widespread use, the number of potentially affected sites is significant. No known exploits in the wild reduce immediate risk, but the vulnerability remains a concern until patched.

1. Immediately restrict Subscriber-level and other low-privilege user roles from accessing or invoking the 'ninja_countdown_admin_ajax' endpoint by implementing custom access controls or using security plugins that enforce capability checks on AJAX actions. 2. Temporarily disable or uninstall the Ninja Countdown plugin if countdown functionality is non-critical or if no immediate patch is available. 3. Monitor WordPress logs and plugin-specific logs for suspicious AJAX requests that attempt to delete countdowns, especially those originating from Subscriber-level accounts. 4. Educate site administrators to review and limit user registrations and permissions, ensuring that only trusted users have Subscriber or higher roles. 5. Follow the plugin vendor’s updates closely and apply security patches as soon as they are released. 6. Consider implementing web application firewalls (WAFs) with custom rules to block unauthorized AJAX requests targeting this endpoint. 7. Conduct regular backups of WordPress site data, including plugin data, to enable recovery from unauthorized deletions.