CVE-2024-13901

Published Mar 1, 2025

Last updated 10 months ago

CVSS medium 4.4

Overview

Description
The Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source
security@wordfence.com
NVD status
Analyzed
Products
counter_box

Risk scores

CVSS 3.1

Type
Primary
Base score
4.8
Impact score
2.7
Exploitability score
1.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security@wordfence.com
CWE-79

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2024-13901 🟠 MEDIUM (4.4) 🏢 wpcalc - Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site 🏗️ * 🔗 https://t.co/PH9qySSyJl 🔗 https://t.co/4GMcZEpmSA 🔗 https://t.co/lxxofgm5M3 #CyberCron #VulnAlert #InfoSec https://t.co/ECJlfeG1Cz

    @cybercronai

    2 Mar 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-13901 The Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the… https://t.co/SquY3tDXXr

    @CVEnew

    1 Mar 2025

    117 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2024-13901 DOM-Based Stored XSS in Counter Box WordPress Plugin via 'content... https://t.co/DO5LEDD6Yv Vulnerability Alert Subscriptions: https://t.co/hrQhy5uz4x

    @VulmonFeeds

    1 Mar 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Counter Box allows Cross Site Request Forgery. This issue affects Counter Box: from n/a through 2.0.5.CVE-2025-24715
  2. The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacksCVE-2024-3481

References

Sources include official advisories and independent security research.