CVE-2025-2270
Countdown, Coming Soon, Maintenance – Countdown & Clock <= 2.8.9.1 - Unauthenticated Limited Local File InclusionThe Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.9.1 via the createCdObj function. This makes it possible for unauthenticated attackers to include and execute files with the specific filenames on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in some cases.
We have discovered 34 live websites that are affected by CVE-2025-2270.
Affected Software
| Product |  Countdown Builder |
| Category | Wordpress Plugins |
| Vulnerable Domains | 34 live websites (4.80% of Countdown Builder install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 6 versions ( 11% of all versions) |
Common Weakness Enumeration
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Details
- Published - Apr 4, 2025
- Updated - Apr 8, 2026
Credits
- Michael Mazzolini (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-2270 United States | 10 websites |
 Germany | 6 websites |
 France | 4 websites |
 Spain | 3 websites |
 GB | 2 websites |
 Italy | 2 websites |
 Bulgaria | 1 websites |
 Switzerland | 1 websites |
 Nigeria | 1 websites |
 Netherlands | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2025-2270| .com | 10 websites |
| .de | 5 websites |
| .org | 5 websites |
| .eu | 3 websites |
| .it | 2 websites |
| .ch | 1 websites |
| .edu | 1 websites |
| .es | 1 websites |
| .fr | 1 websites |
| .nl | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-2270
Top websites that are affected by CVE-2025-2270. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.***.ng | Nigeria | *,***,*** | |
| *******.sk |  Slovakia | *,***,*** | |
| *********.com | France | **,***,*** | |
| *****************.it | Italy | **,***,*** | |
| ***************.eu | United States | **,***,*** | |
| ******.org | Bulgaria | **,***,*** | |
| *****************.nl | Netherlands | **,***,*** | |
| *******.****.eu | France | **,***,*** | |
| *******************.org | United States | **,***,*** | |
| *****.de | Germany | **,***,*** |
FAQ
CVE-2025-2270 is Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Countdown Builder
A total of 34 websites have been identified as vulnerable to CVE-2025-2270, based on global website indexing conducted by WebTechSurvey.
The Countdown Builder is affected by the CVE-2025-2270 vulnerability.
Countdown Builder versions up to and including 2.8.9.1 are vulnerable to CVE-2025-2270.