CVE-2026-12115
Deferred Deferred - Pending Action
PHP Object Injection in Counter Box WordPress Plugin

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Wordfence

Description
The Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization is triggered automatically upon the post-import redirect that renders the list table, and again when any item is opened for editing, requiring no additional navigation beyond the import action itself.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-12115
EUVD
EUVD-2026-37585
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_countdown counter_box to 2.0.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin is vulnerable to PHP Object Injection through deserialization of untrusted input in all versions up to 2.0.13.

This vulnerability allows authenticated users with administrator-level access or higher to inject PHP objects during certain plugin operations, such as post-import redirects and editing items.

However, the vulnerability itself has no direct impact unless another plugin or theme containing a Property Oriented Programming (POP) chain is installed on the site.

If such a POP chain exists, the attacker could potentially delete files, retrieve sensitive data, or execute arbitrary code depending on the POP chain available.

Impact Analysis

If exploited in an environment where a suitable POP chain is present, this vulnerability can lead to severe impacts including:

  • Deletion of arbitrary files on the server.
  • Retrieval of sensitive data stored on the server.
  • Execution of arbitrary code, potentially allowing full control over the affected system.

These impacts require that the attacker has administrator-level access and that another plugin or theme with a POP chain is installed.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Counter Box plugin for WordPress is updated to a version later than 2.0.13, as all versions up to and including 2.0.13 are vulnerable.

Additionally, since the vulnerability requires the presence of a PHP Object Injection POP chain from another plugin or theme, review and remove or update any other plugins or themes that might introduce such POP chains.

Limit administrator-level access to trusted users only, as exploitation requires authenticated users with administrator privileges.

Compliance Impact

The vulnerability allows authenticated attackers with administrator-level access to potentially execute arbitrary code, delete files, or retrieve sensitive data if a POP chain is present via another plugin or theme. This exposure of sensitive data and potential unauthorized actions could impact compliance with standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive information.

However, the vulnerability itself requires administrator-level access and the presence of an additional plugin or theme containing a POP chain, which limits the attack surface. Organizations must consider these factors when assessing risk and compliance impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12115. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart