Skip to main content

Counter Box WordPress CVE-2026-12115

| EUVD-2026-37585 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Wordfence
PHP Deserialization WordPress Information Disclosure Counter Box Add Countdowns Timers Dynamic Counters To Wordpress
6.6
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.6 MEDIUM

PR:H reflects mandatory admin credentials; AC:H captures the environmental POP chain dependency; C/I/A:H reflect ceiling impact when chain is present.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 10:18 vuln.today
CVE Published
Jun 17, 2026 - 09:30 cve.org
MEDIUM 6.6

DescriptionCVE.org

The Counter Box - Add Countdowns, Timers & Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization is triggered automatically upon the post-import redirect that renders the list table, and again when any item is opened for editing, requiring no additional navigation beyond the import action itself.

AnalysisAI

PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress administrator credentials
Delivery
Access Counter Box import interface
Exploit
Upload crafted file with malicious serialized PHP object
Execution
Post-import redirect triggers automatic deserialization
Persist
Co-installed plugin POP chain executes injected object methods
Impact
Achieve file deletion, data exfiltration, or code execution
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user with administrator-level access (role: Administrator or higher), as confirmed by the CVSS PR:H metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) scores 6.6, and the metric choices are well-grounded. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with WordPress administrator credentials navigates to the Counter Box import interface and uploads a crafted export file containing a malicious serialized PHP object. Upon completion of the import, the plugin's post-import redirect automatically deserializes the payload while rendering the list table - no further action by the attacker is required. …
Remediation An upstream fix has been committed to the plugin's WordPress SVN repository (changeset 3570995 referenced at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3570995%40counter-box&new=3570995%40counter-box); however, the exact released patched version number is not independently confirmed from the available input data - update to the latest available version from the WordPress Plugin Repository and verify it supersedes 2.0.13. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-12115 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy