Attack Vectors

CVE-2026-1390 is a Medium severity (CVSS 4.3) Cross-Site Request Forgery (CSRF) issue affecting the Redirect countdown WordPress plugin (slug: redirect-countdown) in all versions up to and including 1.0. In practical terms, an attacker doesn’t need to log in to your WordPress site to attempt this attack.

The primary attack path relies on user interaction: an attacker crafts a request that changes the plugin’s settings and then tricks a site administrator (or another user with sufficient privileges) into triggering it—commonly by clicking a link or visiting a web page while they are logged into WordPress. Because the request is “forged,” it can appear to WordPress as a legitimate settings change initiated by an authorized user.

If successful, the attacker can update settings such as the countdown timeout, the redirect URL, and custom text. This is particularly relevant for organizations where administrators may click links from email campaigns, vendor communications, or social platforms while still authenticated in the admin dashboard.

Security Weakness

The vulnerability exists because the plugin’s countdown_settings_content() function lacks proper nonce validation (a standard WordPress protection used to confirm that a settings change request is intentional and originates from the legitimate admin session). Without this safeguard, WordPress cannot reliably distinguish a real administrator action from a malicious, externally-triggered request.

This is a classic CSRF pattern: the attacker leverages the trust of an already-authenticated admin session rather than breaking authentication directly. The reported impact is limited to settings updates (integrity impact is rated low in the CVSS vector), but those settings can still meaningfully affect user experience and brand trust.

As of the provided advisory, there is no known patch available. Organizations should evaluate whether continuing to run Redirect countdown (<= 1.0) aligns with their risk tolerance, and consider removing it in favor of a maintained alternative if the functionality is business-critical.

Technical or Business Impacts

Even with a Medium severity rating, the business risk can be significant because the affected settings directly influence where site visitors are sent and what messaging they see. If an attacker changes the redirect URL, visitors could be forwarded to an unintended destination, potentially including competitor sites, deceptive pages, or content that damages trust.

For marketing and revenue teams, unauthorized changes to countdown timing or custom text can disrupt campaign landing pages, distort conversion flows, and corrupt attribution data. For example, a shortened timeout could prematurely redirect users away from a page designed to educate or capture leads; a modified redirect could send paid traffic to the wrong destination, increasing ad spend waste and lowering ROI.

From a governance and compliance perspective, unauthorized content and routing changes can create reputational risk and raise concerns during audits—especially if the site is used for regulated communications or customer data collection. Because exploitation depends on an administrator being tricked into clicking or visiting something while logged in, security awareness and operational controls (such as minimizing admin sessions and limiting plugin exposure) become important mitigations alongside the business decision of whether to uninstall the plugin.

Similar Attacks

CSRF-based settings changes have affected many platforms and plugins over time, typically involving an attacker tricking an authenticated user into unknowingly submitting a privileged request. Here are a few real, well-known examples of related attack patterns and vulnerabilities:

CISA Alert: Ongoing cyber attacks exploiting vulnerabilities in multiple router models (includes common themes like forced changes to device settings and configuration tampering, often enabled by web-based weaknesses).

PortSwigger Web Security Academy: Cross-Site Request Forgery (CSRF) (educational reference explaining how attackers exploit authenticated sessions to perform unwanted actions).

CVE Record: CVE-2026-1390 (official CVE entry for this Redirect countdown issue).