WWordPress Vulnerability Database

Hong Kong Security Advisory IMS Countdown XSS(CVE202411755)

Cross Site Scripting (XSS) in WordPress IMS Countdown Plugin
0
Shares
0
0
0
0
Plugin Name IMS Countdown
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2024-11755
Urgency Low
CVE Publish Date 2026-02-03
Source URL CVE-2024-11755





Urgent: Stored XSS in IMS Countdown (≤ 1.3.5) — What WordPress Site Owners and Developers Must Do Now


Urgent: Stored XSS in IMS Countdown (≤ 1.3.5) — What WordPress Site Owners and Developers Must Do Now

Published: 3 February 2026

Summary from a Hong Kong security expert: a stored Cross-Site Scripting (XSS) vulnerability affecting the IMS Countdown plugin (versions ≤ 1.3.5) was disclosed (CVE-2024-11755). An authenticated user with Contributor privileges can inject persistent JavaScript into plugin-managed content; that script may execute later when other users—including administrators or visitors—view the affected content. Treat this seriously and act quickly.

Quick summary (TL;DR)

  • Stored XSS in IMS Countdown (≤ 1.3.5) allows a Contributor to inject persistent JavaScript payloads.
  • Fixed in IMS Countdown 1.3.6 — update immediately to that version or later.
  • If you cannot update right away: deactivate the plugin, restrict Contributor privileges, search for suspicious content, rotate sensitive credentials, and apply targeted mitigations.
  • Long-term: enforce input sanitization and escaping, capability checks, and layered defenses (CSP, monitoring, and WAF where applicable).

What happened (technical overview)

Stored XSS occurs when untrusted input is saved by the application and later rendered without proper escaping. For IMS Countdown (≤ 1.3.5):

  • The plugin accepts content from authenticated users (Contributor or higher).
  • Input was not adequately sanitized before being stored or rendered, allowing HTML/JavaScript to persist.
  • Any user who views the page, widget, admin preview, or dashboard panel rendering the stored data may execute the attacker’s script.
  • The exploit requires a logged-in Contributor to perform the injection; the CVSS reported is around 6.5 in published materials.

Contributors can create content that is sometimes rendered in contexts visible to administrators or the public (shortcodes, previews, widgets), which is why this privilege level is significant.

Real-world impact scenarios

  • Account takeover: scripts can exfiltrate cookies or tokens when executed by admins.
  • Defacement and spam: injected scripts may display unwanted content, create redirects, or insert hidden links.
  • Supply-chain risk: hijacked admin sessions can be used to push malicious code into other systems.
  • Credential harvesting and phishing: fake admin prompts can capture privileged credentials.
  • Reputation and SEO impact: malicious redirects or content can lead to blacklisting or search penalties.

Even a small widget can be a high-impact vector because the payload executes in visitors’ or administrators’ browsers.

Who is at risk?

  • Sites with IMS Countdown installed and active on versions ≤ 1.3.5.
  • Sites that permit Contributor-level registrations or external contributors.
  • Sites that render Contributor-provided content in admin previews, widgets, or public pages without additional checks.

Immediate actions (what to do in the next 1–24 hours)

  1. Update the plugin to 1.3.6 (or later) right away. This is the definitive fix. Apply the update on production immediately or schedule an emergency maintenance window.
  2. If you cannot update immediately, deactivate the plugin. Deactivation prevents the plugin’s rendering code from exposing stored payloads. If the widget is essential, replace it temporarily with static content.
  3. Lock down Contributor uploads and input. Disable new Contributor registrations or restrict their ability to create content that is rendered publicly or by admins.
  4. Search for suspicious stored content. Inspect countdown entries, shortcodes, post meta, and plugin-specific tables for