WordPress Security Bulletin: Peter’s Date Countdown Plugin Vulnerability (CVE-2026-1654)

On this page

Security Alert Summary

The Peter’s Date Countdown plugin for WordPress contains a reflected cross-site scripting (XSS) vulnerability via the $_SERVER['PHP_SELF'] parameter in all versions up to and including 2.0.0. An unauthenticated attacker can craft a URL that, if clicked by a site user, may execute arbitrary script in the user’s browser.


CVE Details

  • CVE ID: CVE-2026-1654
  • Affected component: Peter’s Date Countdown plugin for WordPress
  • Affected versions: All versions up to and including 2.0.0
  • Published: February 5, 2026 at 10:16:03 AM UTC
  • Last modified: February 5, 2026 at 2:57:20 PM UTC
  • CVSS v3.1: Base Score 6.1 — MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: No authentication required (PR:N); privileges required: none. User interaction is required (UI:R).
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None.
  • CWE: CWE-79

Technical Details

This is a reflected Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] value. The plugin outputs that server-supplied value into page markup without properly neutralizing potential script content. An attacker can craft a URL containing script payloads that are reflected in the HTTP response. If a user clicks the crafted link, the injected script can execute in the context of that user’s browser.

The CVE description attributes the root cause to inadequate sanitization and escaping of $_SERVER['PHP_SELF']. The vulnerability is reflected and requires a victim to perform an action (for example, clicking a link). The entry does not indicate escalation of server-side privileges or exploitation without user interaction.


How This Could Impact Your Website

On a typical site with multiple users—such as a site owner who manages plugins, internal staff who edit content, and external contractors or contributors who may receive limited access—an attacker could send a crafted link to one of these users. If an editor, contributor, or other user clicks the link while viewing a page that includes the vulnerable output, the injected script could run in their browser and may access or act on data available in that page context.

Practical consequences include exposure of user-visible information, increased risk of targeted phishing or social engineering (using harvested details), and the potential for actions performed in the context of the clicked user’s session limited to their permissions. The CVE indicates confidentiality and integrity impacts are low and availability is not affected; it does not describe site-wide takeover or privilege escalation.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (A specific fixed version is not specified in the CVE entry.)
  • Review and reduce unnecessary user roles, especially contributors and editors.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual behavior, such as unexpected redirects or injected scripts.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References