What the vulnerability does
01Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat Countdown & Clock countdown-builder allows Remote Code Inclusion.This issue affects Countdown & Clock: from n/a through <= 2.8.8.
Explanation of Vulnerability in Simple Terms
02Summary
A path traversal vulnerability in Countdown & Clock versions 2.8.8 and earlier allows an authenticated attacker to read, modify, or delete arbitrary files on the server. The vulnerability requires low-level user privileges and network access. An attacker can exploit this to access sensitive configuration files, database credentials, or other protected data stored on the site.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete arbitrary files on the server, including sensitive configuration and database files.
Potential impact on your site
04Site Impact
Complete compromise of site data, credentials, and potentially the underlying server if sensitive files are accessed or modified.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site; no user interaction required.
Key dates
06Disclosure timeline
April 1, 2025
CVE published
April 29, 2026
Record updated