CVE-2025-8445 identifies a stored cross-site scripting vulnerability in the Countdown Timer for Elementor plugin for WordPress, maintained by shaikhaezaz80. This vulnerability exists in all versions up to and including 1.3.9 due to improper neutralization of input during web page generation, specifically within the 'countdown_label' parameter. The flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages where the countdown timer is used. Because the plugin fails to properly sanitize and escape user input before rendering it on the page, the injected scripts persist in the database and execute in the context of any user who visits the affected page. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, or redirection to malicious sites. The vulnerability does not require user interaction beyond page access but does require authenticated access, limiting the attack surface somewhat. The CVSS 3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to the potential impact on other users. No patches or official fixes have been published at the time of disclosure, and no known exploits are currently in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to cross-site scripting.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data within WordPress sites using the vulnerable plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of any users visiting the compromised pages, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. While availability is not directly affected, the reputational damage and potential data breaches can be significant. Since WordPress powers a large portion of websites globally and Elementor is a widely used page builder, many organizations could be at risk if they use this plugin. The requirement for authenticated access reduces the risk somewhat, but many sites allow Contributor or higher roles for content editors or external collaborators, increasing exposure. The scope of impact extends beyond the attacker’s account to all users viewing the injected content, which can include administrators and visitors. Without mitigation, this vulnerability could facilitate persistent attacks and lateral movement within compromised WordPress environments.

Organizations should immediately review user roles and permissions to restrict Contributor-level access to trusted users only, minimizing the risk of malicious input injection. Until an official patch is released, consider disabling or removing the Countdown Timer for Elementor plugin if it is not essential. For sites that must continue using the plugin, implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the 'countdown_label' parameter. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly audit and sanitize existing content for injected scripts. Monitor logs for unusual activity from users with Contributor or higher privileges. Educate site administrators and editors about the risks of injecting untrusted content. Once a patch is available, apply it promptly. Additionally, consider using security plugins that provide XSS protection and input validation enhancements for WordPress.