The Redirect countdown WordPress plugin by haghs suffers from a CSRF vulnerability identified as CVE-2026-1390, classified under CWE-352. This vulnerability exists because the plugin's countdown_settings_content() function lacks nonce validation, a security measure designed to prevent unauthorized commands from being executed via forged requests. As a result, an attacker can craft a malicious link or webpage that, when visited by a WordPress site administrator, causes the administrator's browser to send unauthorized requests to the plugin, modifying critical settings such as the countdown timeout, redirect URL, and custom text. Since the attacker does not need to be authenticated and the attack relies on social engineering to induce administrator interaction, the attack vector is relatively accessible but requires user interaction. The vulnerability affects all versions up to and including 1.0 of the plugin. Although the impact does not include direct data disclosure or denial of service, the unauthorized changes to redirect URLs could be leveraged for phishing or redirecting users to malicious sites, indirectly impacting user trust and site integrity. The CVSS score of 4.3 reflects a medium severity level, considering the ease of exploitation and the limited scope of impact. No patches or exploits are currently reported, but the vulnerability's presence in a popular CMS plugin necessitates prompt attention.

The primary impact of this vulnerability is on the integrity of the affected WordPress sites using the Redirect countdown plugin. Attackers can alter plugin settings without authentication, potentially redirecting users to malicious sites, which could facilitate phishing attacks or malware distribution. This undermines user trust and could damage the reputation of the affected organizations. While confidentiality and availability are not directly compromised, the indirect effects of malicious redirects can lead to broader security incidents. Organizations relying on this plugin may face increased risk of targeted attacks, especially if attackers combine this vulnerability with social engineering tactics to trick administrators. The scope is limited to sites running the vulnerable plugin, but given WordPress's extensive market share, the number of affected sites could be substantial. The requirement for administrator interaction reduces the likelihood of widespread automated exploitation but does not eliminate risk, especially in environments with less security awareness.

To mitigate this vulnerability, organizations should immediately update the Redirect countdown plugin to a version that includes nonce validation once available. In the absence of an official patch, administrators can implement manual nonce checks in the countdown_settings_content() function to validate requests and prevent CSRF. Additionally, enforcing strict administrator browsing policies, such as avoiding clicking untrusted links while logged into WordPress admin, can reduce risk. Employing web application firewalls (WAFs) with CSRF protection rules may help detect and block suspicious requests targeting plugin settings. Regularly auditing plugin configurations and monitoring for unexpected changes can also help detect exploitation attempts early. Finally, educating administrators about the risks of CSRF and social engineering attacks is critical to prevent inadvertent exploitation.