The Themify Post Type Builder Search Addon WordPress plugin before 1.4.0 does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability.

CVE-2022-1047

The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.

CVE-2019-25060

Pro Features Lock Bypass vulnerability in Countdown & Clock plugin <= 2.3.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Development

Countdown builder – Customizable Countdown Timer  
A very simple plugin to add **countdown** timer to your website.  
**Countdown** timer allow you to create nice and functional Countdown timer just in a few minutes.  
This is the best way to create beautiful **Countdown** for your users.  
You can use our Countdown timer in your posts/pages via shortcode example like this  
\[ycd\_countdown id=73\]

Countdown types

*   Circle Countdown
*   Digital
*   Timer Countdown
*   Clock 1
*   Clock 2
*   Clock 3
*   Clock 4
*   Clock 5
*   Clock 6
*   Clock 7
*   Simple countdown
*   Sticky Countdown
*   Circle countdown & popup
*   Flipclock countdown
*   Flipclock countdown & popup
*   WooCommerce countdown
*   WooCommerce coupons
*   Coming Soon page

How to create Countdown example

We do web development and if you need a developer or if you think you have found a bug in Read more plugin, if you have any question, please feel free to contact us by this email adamskaat1@gmail.com.

1.  Upload the ‘Countdown’ plugin folder to the ‘/wp-content/plugins/’ directory.
2.  Activate the “countdown-builder” list plugin through the ‘Plugins’ menu in WordPress.
3.  Check the Countdowns Menu button and start adding Countdown.

**How can I insert it into my pages/posts**

After you installed the plugin you can go to your pages/posts and just click on our plugin shortcode button and add it to your pages/posts.

Yes you can, we have Circle and Flipclock countdown popups.

**What files I need to upload for installing the plugin**

You need to select the .zip file, there is no need to extract the zip file, just upload it.

I am a web designer and marketer from Bulgaria. I have been working in these specialties for 20 years now, and I have enough experience to determine the professional level of any Internet software creator, as well as their efficiency, responsiveness and honesty. I am extremely happy to find not only the 'Countdown & Clock' software, but also the manufacturing company. If there were more such manufacturers, the world would be a paradise for people from every country. I thank them. Toni

Es justo lo que necesitaba

I wanted a simple way to count down various milestones in my journey and this plugin was perfect for me. It's very easy to use and has plenty of customizations, even without paying anything.

Easy to install, easy to use, works perfectly well.

So simple and helpful plugin! Thank you so much!

Read all 162 reviews

“Countdown, Coming Soon, Maintenance – Countdown & Clock” is open source software. The following people have contributed to this plugin.

Contributors

*    adamskaat

**2.5.8**

*   Added Countdown Expiration WooCommerce Condition “The cart will not empty the countdown”

**2.5.7**

*   Added Simple countdown translation
*   Added disable google fonts option

**2.5.6**

*   Changed the default value of the Countdown Expiration WooCommerce Condition
*   Fixed PHP warnings

**2.5.5**

*   Fixed flip clock popup open onload
*   Added info tooltip text to describe feature

**2.5.4**

*   Added display rules post categories detection
*   Improved display rules WooCommerce label
*   Added display rules for all custom posts categories detection
*   Added display rile for WooCommerce Shop page detection
*   Added display rile for WooCommerce Cart page detection
*   Added display rile for WooCommerce Account page detection

**2.5.3**

*   Added Countdown fixed position

**2.5.2**

*   Added Sticky Countdown ” Enable sticky footer ” option
*   Added WooCommerce Number of products sold
*   Fixed WooCommerce coupon date issue

**2.5.1**

*   Added WooCommerce Number of products less than
*   Added WooCommerce Number of products more than
*   Code improvement

**2.5.0**

*   Added display rule All tags
*   Added display rule Selected tags
*   Admin panel UI improvements
*   Fixed Display rule pages search
*   Minor bug fixes and improvements

**2.4.9**

*   Added Countdown Expiration WooCommerce Condition (Stock is empty)
*   Added Countdown Expiration WooCommerce Condition (Stock is not empty)
*   Improved general options section
*   Improved Display rule condition

**2.4.8**

*   Fixed Simple countdown expiration default behavior
*   Fixed Simple countdown timer preview issue during duration change

**2.4.7**

*   Fixed Countdown translation warnings
*   Improved Display Rules section
*   Added page type Home, Posts, Search, 404, Archive

**2.4.6**

*   Fixed coming soon mode option
*   Fixed coming soon page render html tags issue

**2.4.5**

*   Added Display Rules new section
*   Added possibility to from settings include (Timer Countdown, Clock 1, Clock 2, Clock 3, Clock 4, Clock 5, Clock 6, Clock 7) types
*   Added New feature suggestion request section
*   Fixed some warnings

**2.4.4**

*   Countdown Admin panel fixes

**2.4.3**

*   Added possibility to translate the circle countdown texts related to browser language.

**2.4.2**

*   Sticky Countdown Double Digits option

**2.4.1**

*   Added Years possibility to simple countdown

**2.4.0**

*   Fixed Clock1 options
*   Fixed Clock2 options
*   Fixed Clock3 options
*   Fixed Coming Soon options
*   Fixed Countdown button options
*   Bug fixed types section

**2.3.5**

*   Fixed moment js file

**2.3.4**

*   Code fixes

**2.3.3**

*   Code fixes

**2.3.2**

*   Added Simple countdown numbers margin
*   Added Simple countdown text margin

**2.3.1**

*   Simple countdown added Text to top (new)
*   Sticky countdown close button text position change possibility (new)

**2.3.0**

*   Added compatibility with Polylang

**2.2.9.2**

*   Fixed Display on save issue

**2.2.9.1**

*   Fixed some warnings
*   Fixed issue on PHP 8
*   Code improvement

**2.2.9**

*   Security improvement
*   Fixed onclick Countdown popup issue

**2.2.8**

*   Fixed Simple countdown save duration option
*   Fixed Sticky countdown save duration option
*   Fixed countdown preview box height limitation issue

**2.2.7**

*   Hide Editor Media buttons (new settings)
*   Settings options save improvement

**2.2.6**

*   Added Enable date for the timers

**2.2.5**

*   Fixed simple countdown countUp issue
*   Fixed Days durations limitation

**2.2.4**

*   Added Countdown Enable start date (New)
*   Added Clocks Background color change possibility.
*   Fixed Security issue during countdowns clone

**2.2.3**

*   Bug fixed of the Countdown Gutenberg block
*   Countdown Gutenberg block improvements

**2.2.2**

*   Added Custom font family functionality
*   Fixed the progress bar color change issue
*   Fixed the progress bar percentage calculation issue
*   Fixed schedules date calculation with simple countdown type

**2.2.1**

*   Fixed Change countdown before text after expiration saving issue
*   Fixed Change countdown before text before expiration saving issue

**2.2.0**

*   Fixed debricated function and compatible with the PHP 8

**2.1.9**

*   Fixed Change countdown before text after expiration during count up
*   Fixed Change countdown after text after expiration during count up
*   Fixed coming soon warnings

**2.1.8**

*   Change countdown before text after expiration
*   Change countdown after text after expiration

**2.1.7**

*   Upcoming Day Of Week (Recurring) (New Feature)

**2.1.6.1**

*   Time zone bug fixed

**2.1.6**

*   Time zone per user functionality

**2.1.5**

*   Sticky Countdown Button close banner behavior
*   Sticky countdown admin side improvement

**2.1.4**

*   Sticky button copy alert after copy

**2.1.3**

*   Added possibility via Sticky countdown button copy text

**2.1.2**

*   Added security for settings save
*   Support menu fixed

**2.1.1**

*   Fixed simple countdown date calculation issue
*   Fixed schedule issue

**2.1.0**

*   Added simple countdown months new time unite

**2.0.9**

*   Fixed Display on option save issue on PHP 8
*   Fixed Coming Soon issue for logged in users on PHP 8
*   Duration live preview issue Circle and Simple countdowns

**2.0.8**

*   Coming soon Automatically start by date
*   Coming soon Automatically expire by date
*   Coming soon admin section improvement

**2.0.7**

*   Added possibility add shortcode inside Coming soon page content
*   Fixed added slashes issue in coming soon page content
*   Added random number plugin to more plugins section

**2.0.6**

*   Fixed Simple Countdown tyoe count up functionality

**2.0.5**

*   Fixed Simple Countdown type after expiration issue
*   Fixed Simple Countdown type responsiveness issue
*   Fixed Admin side live preview box dragable issue
*   Fixed Simple Countdown And Subscription type issue
*   Fixed Simple Countdown type dots font size issue

**2.0.4**

*   Multiple Simple countdowns dates confilict fixed

**2.0.3**

*   Simple countdown double digits

**2.0.2**

*   Simple countdown live preview labels on/off issue fixed
*   Code improvement related to WordPress 5.7

**2.0.1**

*   Simple countdown display on pages option fixed

**2.0.0**

*   Nav bar on the Countdown types section
*   Show on selected user roles (Coming Soon option)
*   Schedule 1 option bug fixed
*   Code optimization
*   Code clean up

**1.9.9**

*   Fixed countdown activation issue
*   Fixed circle countdown
*   Countdown admin panel options label typo fixes

**1.9.8**

*   Simple countdown Numbers Color
*   Simple countdown Labels Color
*   Simple countdown Numbers Font Family
*   Simple countdown Labels Font Family
*   Admin side improvements

**1.9.7**

*   Fixed simple countdown issue on Safari browser

**1.9.6**

*   Simple countdown numbers font size
*   Simple countdown labels font size

**1.9.5**

*   Simple Countdown type live preview improvement
*   Fixed Sticky Countdown issue on Iphone devices
*   Improved Date Time Picker

**1.9.4**

*   Simple countdown new type

**1.9.3**

*   Added ‘ Print scripts to the page ‘ option in the Setting section
*   WordPress 5.6 version full support

**1.9.2**

*   Added possibility close Sticky Countdown
*   Added possibility to change Sticky Countdown close text
*   Admin side type sections improvement

**1.9.1**

*   Sticky Countdown Sections Order

**1.9.0**

*   Inside Sticky Countdown type, added possibility select another countdown type to show countdown
*   Coming Soon type code improvements

**1.8.9**

*   Added Demo website
*   Improved deactivation survey
*   Fixed Timer countdown buttons issue
*   Schedule countdown bug fixed
*   Sticky countdown bug fixed

**1.8.8**

*   Deactivation survey

**1.8.7**

*   Create default countdown after the first activation
*   Bug fixes

**1.8.6**

*   Timer Before HTML
*   Timer After HTML
*   Compatibility test with WordPress 5.5 version

**1.8.5**

*   Countdown Widget Title Change
*   Countdown Settings Save Message
*   Coming Soon setting Save Message

**1.8.4**

*   Moment js lib customization and prevent conflict with other plugins
*   Colors Rgba possibility
*   Coming soon IP whitelist feature
*   Code improvements

**1.8.3**

*   Sticky Countdown expiration time bug fixed
*   After activation redirect to plugin menu section
*   Countdowns types section improvement

**1.8.2**

*   Timer countdown enable labels
*   Timer countdown labels font size

**1.8.1**

*   Sticky countdown button redirect to new tab option

**1.8.0**

*   Add sticky countdown to version
*   WooCommerce coupon integration

**1.7.9**

*   Admin side fixed Warnings

**1.7.8**

*   Admin side improvements

**1.7.7**

*   Circle time extension
*   Admin side hide coming soon menu setting
*   Admin side info metabox
*   Sticky countdown type improvements
*   WooCommerce countdown type improvements
*   Bug fixes

**1.7.6**

*   Countdown Clone (new)
*   Coming Soon Custom JS (new)
*   Coming Soon Custom CSS (new)
*   Circle Timer (coming soon)

**1.7.5**

*   New Maintenance mode (new)
*   Timer days option (new)
*   Support metabox coming soon section
*   Bug fixes

**1.7.4**

*   Timer start button Custom class name (new)
*   Timer reset button Custom class name (new)
*   Timer AutoPlay after restart (new)

**1.7.3**

*   Fixed Saved duration issue related to Days
*   Reset duration (new)

**1.7.2**

*   Countdown timer milliseconds (new)

**1.7.1**

*   Add duration Days option (new)
*   Schedule 2 (new)
*   Admin side improvement

**1.7.0**

*   Save Duration For Each User (new)
*   Admin Side Is Expired Bug Fixed
*   Circle Countdown Popup Saving Issue Fixed
*   Bug Fixed Related To Schedule Countdown

**1.6.9**

*   Save Duration (new)
*   Code optimization

**1.6.8**

*   Circle countdown text margin top (new)
*   Circle countdown numbers margin top (new)
*   Coming Soon Background Video (new)

**1.6.7**

*   Countdown Shortcode metabox (new)
*   Admin Design improvement

**1.6.6**

*   Circle Countdown switch Number And Text (new)

**1.6.5**

*   Coming Soon add Countdown (new)
*   Coming Soon Headline Color (new)
*   Coming Soon Message Color (new)
*   Coming Soon Font Family (new)

**1.6.4**

*   Coming Soon new menu type(new)
*   Coming Soon background color(new)
*   Coming Soon background image(new)
*   Count up bug fixed

**1.6.3**

*   Coming Soon Header Title (new)
*   Coming Soon SEO Meta Description (new)
*   Coming Soon Favicon (new)

**1.6.2**

*   Coming Soon Page (new)

**1.6.1**

*   Shortcode Date attribute \[ycd\_countdown id=63 date=”2019-11-25 22:25″\]
*   JS custom trigger YcdExpired

**1.6.0**

*   Due date bug fixed
*   New Video tutorials section
*   Countdown Number Styles Font Size option improvement

**1.5.9**

*   Countdowns table copy shortcode
*   New Ideas sub menu
*   Admin side improvements
*   Countdown Button new features and video example
*   Bug fixed

**1.5.8**

*   Custom JS (new)
*   Circle countdown Redirect to new tab (new)
*   Countdown button new options
*   Bug fixed

**1.5.7**

*   Font load issue
*   Countdown button extension
*   Code optimization

**1.5.6**

*   Count up from End Date (new)
*   Admin panel improvements

**1.5.5**

*   More plugins section
*   Count Up option save bug fixed

**1.5.4**

*   Code improvement (added new actions and triggers)
*   Analytic Extension
*   Bug fixed

**1.5.3**

*   Timer reset button
*   Timer buttons colors customization
*   Circle countdown popup on load event
*   Flipclock countdown popup on load event

**1.5.2**

*   Enable Timer Button (new)
*   Enable/Disable auto counting
*   Timer button start label
*   Timer button stop label

**1.5.1**

*   Display countdown on all custom post
*   Display countdown on selected custom post
*   Code optimization
*   Backend functions improvement
*   Bug fixed

**1.5.0**

*   Clock 3 type improvement
*   Bug fixed

**1.4.9**

*   Clock mode (12h/24h)
*   But fixed

**1.4.8**

*   After expire behavior for the Clock1, Clock2, Clock3, Clock4, Clock5, Clock6, Clock7 timers

**1.4.7**

*   New timer feature for the Clock1, Clock2, Clock3, Clock4, Clock5, Clock6, Clock7
*   Bug fixed

**1.4.6**

*   Display Countdown to Everywhere automatically (new feature)
*   Circle Countdown responsiveness improvement

**1.4.5**

*   Countdown Showing Limitation (new feature)
*   Countdown Showing Animation (new feature)
*   Countdown Shadow (new feature)
*   Code optimization
*   Small bug fixed

**1.4.3**

*   After Countdown Expire: Count Up (new feature)
*   Countdown responsiveness improvement
*   Bug fixed

**1.4.2**

*   New custom Css code possibility
*   Features improvements
*   Code improvements

**1.4.1**

*   Before Circle countdown content (new feature)
*   After Circle countdown content (new feature)
*   bug fixed

**1.4.0.1**

*   Improve Countdown Support menu link
*   Change countdown menu title to Countdown & Clock
*   minor improvement

**1.4.0**

*   Live preview draggable and toggle improvement
*   Clock 1 new improvements
*   Clock 2 new improvements
*   Clock 3 new improvements
*   Clock 4 new improvements
*   Clock 5 new improvements
*   Clock 6 new improvements
*   Clock 7 new improvements
*   Minor bug fixed

**1.3.9**

*   Clock 1 colors customizations
*   Shortcode media button conflict fixed
*   Admin side bug fixed
*   Descriptions improvement

**1.3.8**

*   New progress bar option
*   Admin side text improvement
*   Bug fixed

**1.3.7**

*   Admin side improvement
*   Bug fixed

**1.3.6**

*   Gutenberg block (new)
*   HTML editor countdown button (new)
*   Schedule (new)
*   Backend side improvement
*   Bug fixed

**1.3.5**

*   Bug Fixed

**1.3.4**

*   Countdown date duration option(new)
*   WooCommerce Countdown (new)
*   Countdown create bug fixed
*   Countdown issue on iPhone
*   Code improvement

**1.3.3**

*   Circle countdown months and year support
*   Time zone change issue on the Internet Explorer
*   Sticky countdown type (new)
*   Countdowns table improvement
*   Code improvement

**1.3.2**

*   Added new clock 2 types (new)
*   Code optimization
*   Bug fixed

**1.3.1**

*   Add new type clock
*   Code improvement

**1.3.0**

*   Fixed possibility multiple timer on the same page

**1.2.9**

*   Newsletter (new)
*   Countdown number Font Size (new)
*   Countdown number Font Weight (new)
*   Countdown number Font Style (new)
*   Countdown number Font Family (new)
*   Video tutorial https://www.youtube.com/watch?v=efqVcdKF620
*   Bug fixed
*   Code fixes

**1.2.8**

*   Circle Countdown type text Font Style (new option)
*   Bug fixed

**1.2.7**

*   New Digital countdown type
*   Bug fixed
*   Code improvement

**1.2.6**

*   Fixed Compatibility with cache plugins
*   Bug fixed

**1.2.5**

*   Code optimization
*   Admin dashboard improvement
*   Flip Clock popup type PRO

**1.2.4**

*   Bug fixed
*   Code improvement
*   Subscription (form and subscribers section) PRO

**1.2.3**

*   Bug fixed

**1.2.2**

*   User Role section (new)
*   Countdown timer insert media button (new)
*   Countdown timer widget (new)
*   Countdown delete data option (new)
*   Timer End Sound (new)
*   Support menu tab (new)
*   show countdown for selected countries (new pro)
*   bug fixed
*   Code optimizations

**1.2.1**

*   Countdown responsiveness
*   Countdown alignment
*   Countdown On of logic
*   Hide on mobile devices (pro)
*   Show on mobile devices (pro)
*   Bug fixes
*   Code optimization

**1.2.0**

*   Shortcode view improvment
*   Bug fixed
*   Code optimization
*   Flip clock NEW countdown type (Pro)

**1.0.9**

*   Time Zone
*   Circle Countdown Popup type (Pro)
*   code improvement

**1.0.8**

*   Countdown padding
*   Start Angle
*   Font Size
*   Font Weight
*   Countdown padding
*   Font Family (PRO)
*   Countdown Days Text Color (PRO)
*   Countdown Hours Text Color (PRO)
*   Countdown Minutes Text Color (PRO)
*   Countdown Seconds Text Color (PRO)
*   Background Circle (PRO)
*   Background Image (PRO)

**1.0.6**

*   Circle Width
*   Background Width
*   Countdown Days Color (PRO)
*   Countdown Hours Color (PRO)
*   Countdown Minutes Color (PRO)
*   Countdown Seconds Color (PRO)
*   After Countdown Expire Default
*   After Countdown Expire Hide Countdown
*   After Countdown Expire Show Text (PRO)
*   After Countdown Expire Redirect To URL (PRO)
*   Bug fixed
*   Design fixed

**1.0.5**

*   Countdown live preview
*   js code optimization

**1.0.4**

*   Countdown background circle
*   Countdown direction
*   Countdown bug fixed

**1.0.3**

*   Countdown days on of logic
*   Countdown days text
*   Countdown hours on of logic
*   Countdown hours text
*   Countdown minutes on of logic
*   Countdown minutes text
*   Countdown seconds on of logic
*   Countdown seconds text
*   Countdown js code optimization
*   Countdown admin design improvement

**1.0.2**

*   Countdown width
*   Bug fixed

**1.0.1**

*   Countdown animation
*   Code improvement

**1.0**

*   Plugin publish

CVE-2022-29423: Countdown, Coming Soon, Maintenance – Countdown & Clock

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of May 6, 2022 and is not available for download. This closure is temporary, pending a full review.

I use 3 different countdowns on 2 different websites and every time, it's easy to setup. Even the free version is good.

Simple timer that does exactly what it's supposed to do - displays a counter for the launch of a product / website. Usually, these timers can be overly complicated when you're just looking for one thing. The time displayed on the landing page or if you are showing a coming soon message or maintenance mode. If you want something fancier with all the customizable bells and whistles, you'll have to opt for a professional version of the plugin. I think for most basic web launches it will be working just fine.

The default style for the countdown clock is very good and easy to set up. We wanted more advanced features, so I upgraded, and received excellent customer support for getting the upgrade completed.

Adam was so helpful with custome code and adding specific design elements to the countdown object. Their functionality is awesome.

Je suis trés satisfait de ce compteur

Visually appealing and easy to use

Read all 142 reviews

“Countdown, Coming Soon, Maintenance – Countdown & Clock” is open source software. The following people have contributed to this plugin.

Contributors

*    adamskaat

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin <= 2.3.2 at WordPress via &ycd-circle-countdown-before-countdown and &ycd-circle-countdown-after-countdown vulnerable parameters.

CVE-2022-29420: Countdown, Coming Soon, Maintenance – Countdown & Clock

Reflected Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Countdown & Clock plugin on WordPress via &ycd_type vulnerable parameter.

**countdown-builder**

**Software**

**Countdown & Clock**

**Vulnerable Versions**

**<= 2.3.2**

**Fixed in version**

**CVE**

**CVE-2022-29421**

**References**

**Credits**

**Classification**

**Cross Site Scripting (XSS)**

**OWASP Top 10**

**A7: Cross-Site Scripting (XSS)**

**Disclosure Date**

**2022-04-28**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Reflected Cross-Site Scripting (XSS) vulnerability discovered by Ex.Mi (Patchstack) in WordPress Countdown & Clock plugin (versions <= 2.3.2).**

**Solution**

**No patched version is available.**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-29421: WordPress Countdown & Clock plugin <= 2.3.2 - Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Stored Cross-Site Scripting (XSS) vulnerability in Andrea Pernici News Sitemap for Google plugin <= 1.0.16 on WordPress, attackers must have contributor or higher user role.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of May 6, 2022 and is not available for download. This closure is temporary, pending a full review.

Hi, great plugin! Can you correct these warnings? Notice: Use of undefined constant WP\_Error - assumed 'WP\_Error' in /home/brusco/workspace/icon/wp-content/plugins/google-news-sitemap/apgnsm.php on line 174 Notice: Undefined variable: apgnsm\_active in /home/brusco/workspace/icon/wp-content/plugins/google-news-sitemap/apgnsm.php on line 184

Il plugin fa esattamente quello che promette, e lo fa in modo semplice e pulito. il solo "difetto" l'accesso alla configurazione anche agli autori e collaboratori

Read all 4 reviews

“Andrea Pernici News Sitemap for Google” is open source software. The following people have contributed to this plugin.

Contributors

*    Andrea Pernici

CVE-2021-36912: Andrea Pernici News Sitemap for Google

Attackers pounce before site owners can activate the installation wizard

Attackers pounce before site owners can activate the installation wizard

Attackers are abusing the Certificate Transparency (CT) system to compromise new WordPress sites in the typically brief window of time before the content management system (CMS) has been configured and therefore secured.

CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate websites’ identity.

First implemented by the DigiCert CA in 2013, the standard mandates that CAs immediately record all newly issued certificates on public logs in the interests of transparency and the prompt discovery of rogue or misused certificates.

**DDoS attacks**

However, evidence is growing that malicious hackers are monitoring these logs in order to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.

Multiple testimonies have emerged detailing sites being hacked within minutes – within seconds, even – of TLS certificates being requested.

RELATED ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system

Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites being press-ganged into joining DDoS attacks.

On a related thread on the support forum of Let’s Encrypt, a CA that issues free certificates and launched its own CT log in 2019, a Certbot engineer said the attacks had “been happening for a few years now”.

**Recon techniques**

Josh Aas, executive director at the Internet Security Research Group, which runs Let’s Encrypt, agrees with the engineer’s speculation over the attackers’ reconnaissance techniques.

“If the attacker is polling CT logs directly they would see new certificate entries faster, giving them a larger time window in which to pull off the attack,” Aas told The Daily Swig. Scanning crt.sh, a certificate search domain, “might also work, but it takes longer for new certificates to propagate from CT”.

There’s no question of the attacks reflecting shortcomings in the CT system, which according to Let’s Encrypt has “led to numerous improvements to the CA ecosystem and web security” and “is rapidly becoming critical infrastructure”.

Aas said all publicly trusted CAs are required to submit certificates to CT logs “without delay after they are issued”.

**An argument for automation**

He suggested that the responsibility for protecting new WordPress sites ultimately lies with domain owners and hosting providers.

“Getting a certificate from Let’s Encrypt may make it easier to detect a new installation, but nobody should be putting WordPress installations on the public internet until they are secured. If a hosting provider or any other entity is doing that, please report it as a vulnerability in their deployment process.”

Catch up on the latest WordPress security news

Josepha Haden, executive director on the WordPress project at Automattic, told The Daily Swig that the attacks “only affects direct installations – if a site is on any recommended host, or the installation process is automated, there is usually a pre-configured config file so the installation process is complete/is not interactive and there’s little chance for that attack”.

In a recent blog post on the topic, Colorado-based web design firm White Fir Design suggested that WordPress could tackle the problem by giving the domain owner “control of the website” at the outset, “say, by adding a \[template\] file”.

On the Let’s Encrypt forum, Christopher Cook, developer of Let's Encrypt Windows UI Certify the Web, proposed that WordPress “could randomise the install URL and present it only to you in the console, or require a one-time token”.

Josepha Haden acknowledged that WordPress needed “to review the issue. The Core team is aware and discussing the best changes as well as best timing as we move forward with the rest of our releases for the remainder of the year,” she said.

RECOMMENDED Heroku resets user passwords after concluding April cyber-attack ran deep

Tag

#wordpress