CVE-2026-1654 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Peter’s Date Countdown plugin for WordPress, affecting all versions up to and including 2.0.0. The root cause is insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter, which is used during web page generation. This parameter reflects the current script’s filename and path, and when improperly handled, allows attackers to inject arbitrary JavaScript code. Because the vulnerability is reflected, the malicious payload is embedded in a crafted URL that, when clicked by a user, causes the injected script to execute in the context of the vulnerable website. This can lead to theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of the user. The vulnerability does not require authentication, making it accessible to unauthenticated attackers, but it does require user interaction (clicking a malicious link). The vulnerability was published on February 5, 2026, with a CVSS v3.1 base score of 6.1, indicating medium severity. No patches or updates are currently linked, and no known exploits have been reported in the wild. The CWE classification is CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with affected WordPress sites using the Peter’s Date Countdown plugin. Attackers can execute arbitrary scripts in the victim’s browser, potentially stealing session cookies, login credentials, or other sensitive data. This can lead to account takeover or unauthorized actions performed with the victim’s privileges. While availability is not directly impacted, successful exploitation can facilitate phishing attacks or malware distribution, indirectly harming users and the organization’s reputation. Since the vulnerability is unauthenticated and requires only user interaction, it can be exploited at scale via phishing campaigns. Organizations running WordPress sites with this plugin are at risk of reputational damage, data breaches, and loss of user trust if the vulnerability is exploited.

1. Immediate mitigation should include disabling or removing the Peter’s Date Countdown plugin until a patched version is released. 2. If disabling is not feasible, implement a Web Application Firewall (WAF) with rules to detect and block suspicious payloads targeting the $_SERVER['PHP_SELF'] parameter or reflected XSS patterns. 3. Educate users and administrators about the risks of clicking suspicious links and encourage vigilance against phishing attempts. 4. Monitor web server logs for unusual URL patterns that may indicate exploitation attempts. 5. Developers should update the plugin code to properly sanitize and encode all user-controllable inputs, especially $_SERVER['PHP_SELF'], using secure coding practices such as context-aware output encoding. 6. Once available, promptly apply official patches or updates from the plugin vendor. 7. Conduct regular security assessments and penetration testing on WordPress sites to identify and remediate similar vulnerabilities proactively.