Counter Box Add Countdowns Timers Dynamic Counters To Wordpress
Monthly
PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit is identified at time of analysis, and the CVSS AC:H and PR:H ratings reflect both the administrative access requirement and the environmental dependency on co-installed POP chain software.
PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit is identified at time of analysis, and the CVSS AC:H and PR:H ratings reflect both the administrative access requirement and the environmental dependency on co-installed POP chain software.