CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer allows PHP Local File Inclusion.This issue affects Sales Countdown Timer for WooCommerce and WordPress: from n/a through < 1.1.9.
Explanation of Vulnerability in Simple Terms
The Sales Countdown Timer for WooCommerce and WordPress plugin through version 1.1.9 contains a code injection vulnerability. An authenticated attacker with low privileges can inject and execute arbitrary PHP code on the site, potentially compromising the entire WordPress installation. The vulnerability requires high attack complexity but grants full control over site data and functionality.
What an attacker can do
Run arbitrary PHP code on the site and access or modify any data.
Potential impact on your site
Complete site compromise: attacker can steal data, modify content, create admin accounts, or inject malware.
Conditions required to exploit
Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor role).
Key dates
External resources
Related vulnerabilities
