{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12665", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T21:16:37.757Z", "datePublished": "2025-11-11T03:30:46.636Z", "dateUpdated": "2026-04-08T17:11:11.837Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:11.837Z"}, "affected": [{"vendor": "lovelightplugins", "product": "Ninja Countdown | Fastest Countdown Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns."}], "title": "Ninja Countdown <= 1.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Countdown Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0b6433-5651-4a9d-8356-5d02d51830f4?source=cve"}, {"url": "https://wordpress.org/plugins/ninja-countdown/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "timeline": [{"time": "2025-11-10T15:01:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:12:25.304032Z", "id": "CVE-2025-12665", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:05:39.808Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12665", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T15:12:25.304032Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:12:27.738Z"}}], "cna": {"title": "Ninja Countdown <= 1.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Countdown Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "lovelightplugins", "product": "Ninja Countdown | Fastest Countdown Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.5.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:01:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0b6433-5651-4a9d-8356-5d02d51830f4?source=cve"}, {"url": "https://wordpress.org/plugins/ninja-countdown/"}], "descriptions": [{"lang": "en", "value": "The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:11.837Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12665", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:11.837Z", "dateReserved": "2025-11-03T21:16:37.757Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:46.636Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns."}], "id": "CVE-2025-12665", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:49.103", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/ninja-countdown/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0b6433-5651-4a9d-8356-5d02d51830f4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:27:44.617707+00:00", "value": {"mitigation_remediation": ["Upgrade the Ninja Countdown plugin to version 1.5.1 or newer, which includes the missing capability check.", "If an immediate upgrade is not possible, disable the plugin or remove it entirely to prevent access to the vulnerable AJAX endpoint.", "If deletion must be preserved temporarily, remove or restrict the 'ninja_countdown_admin_ajax' endpoint by editing the plugin\u2019s code or using a custom filter to enforce stricter capability checks."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Deletion of Countdowns"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Ninja Countdown | Fastest Countdown Builder plugin, version 1.5.0 or earlier, are affected.", "description_and_impact": "The Ninja Countdown plugin for WordPress contains a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to and including 1.5.0. Because the endpoint does not verify the user\u2019s role, any authenticated user with Subscriber level or higher can trigger a request that deletes an arbitrary countdown. The consequence is loss of user\u2011created countdown data, which could impact site functionality or advertising schedules, and represents a moderate data\u2011loss vulnerability per the CWE-862 classification.", "risk_and_exploitability": "The CVSS score of 4.3 reflects moderate severity, and an EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and exploitation requires only an authenticated account at the Subscriber level or higher, which is commonly granted to regular site users. While the attack vector is relatively simple\u2014sending a crafted AJAX request to delete a countdown\u2014defenders should still prioritize remediation because the loss of countdown data can be disruptive to site operations."}}}}, "created": "2025-11-12T12:47:40.552140+00:00", "updated": "2026-04-21T18:30:27.587449+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}