{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1654", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T19:18:24.125Z", "datePublished": "2026-02-05T09:13:45.990Z", "dateUpdated": "2026-04-08T17:34:06.211Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:06.211Z"}, "affected": [{"vendor": "pkthree", "product": "Peter\u2019s Date Countdown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Peter's Date Countdown <= 2.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f8e436-2679-4ecb-831e-2b22dd99be32?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/peters-date-countdown/tags/2.0.0/datecountdown.php#L246"}, {"url": "https://plugins.trac.wordpress.org/changeset/3450122/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "timeline": [{"time": "2026-01-30T01:23:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-04T20:34:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:32:56.336763Z", "id": "CVE-2026-1654", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:33:07.809Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T14:32:56.336763Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:33:00.593Z"}}], "cna": {"title": "Peter's Date Countdown <= 2.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']", "credits": [{"lang": "en", "type": "finder", "value": "Abdulsamad Yusuf"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "pkthree", "product": "Peter\u2019s Date Countdown", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-30T01:23:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-04T20:34:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f8e436-2679-4ecb-831e-2b22dd99be32?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/peters-date-countdown/tags/2.0.0/datecountdown.php#L246"}, {"url": "https://plugins.trac.wordpress.org/changeset/3450122/"}], "descriptions": [{"lang": "en", "value": "The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:06.211Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1654", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:06.211Z", "dateReserved": "2026-01-29T19:18:24.125Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-05T09:13:45.990Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Peter's Date Countdown para WordPress es vulnerable a cross-site scripting reflejado a trav\u00e9s del par\u00e1metro '$_SERVER['PHP_SELF']' en todas las versiones hasta la 2.0.0, inclusive, debido a la sanitizaci\u00f3n insuficiente de la entrada y al escape de la salida. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1654", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-05T10:16:03.857", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/peters-date-countdown/tags/2.0.0/datecountdown.php#L246"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3450122/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f8e436-2679-4ecb-831e-2b22dd99be32?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T17:29:03.511027+00:00", "value": {"mitigation_remediation": ["Upgrade Peter\u2019s Date Countdown to the latest release (any version newer than 2.0.0) to eliminate the unsanitized input usage.", "If upgrading is not immediately feasible, modify the plugin\u2019s source by adding proper sanitization to the $_SERVER['PHP_SELF'] variable and apply output escaping such as wp_kses before rendering any user\u2011controlled data.", "Deploy site\u2011wide XSS protection, for example by enabling WordPress\u2019s built\u2011in XSS filtering or installing a reputable security plugin that automatically sanitizes or blocks reflected script payloads."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting that allows arbitrary script injection when a user visits a malicious URL"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all releases of the Peter\u2019s Date Countdown plugin up to and including version 2.0.0. WordPress sites running any of those versions of the plugin are potentially exposed.", "description_and_impact": "The Peter\u2019s Date Countdown WordPress plugin contains a reflected cross\u2011site scripting flaw caused by an unsanitized use of the PHP variable $_SERVER['PHP_SELF']. An attacker who can entice a user to visit a specially crafted link can inject JavaScript that runs in the victim\u2019s browser, allowing the execution of arbitrary code within the context of the site. This CWE\u201179 vulnerability does not require authentication and is limited to the victim\u2019s session, but it can be used to hijack sessions, deface pages, or launch further attacks.", "risk_and_exploitability": "The CVSS score is 6.1, indicating moderate severity. The EPSS score is below 1% and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting current exploitation likelihood is low. However, the flaw is trivially exploitable via a crafted URL, requires no authentication, and relies only on a typical user interaction (clicking a link). As such, the risk profile is moderate, with potential for abuse in phishing or social engineering scenarios."}}}}, "created": "2026-02-06T12:05:42.244587+00:00", "updated": "2026-04-15T18:00:15.517194+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}