CVE-2021-24191

Name of the Vulnerable Software and Affected Versions: WP Maintenance Mode & Site Under Construction WordPress plugin versions prior to 1.8.2

Description: The issue allows low-privileged users to install any plugin, including specific versions, from the WordPress repository and activate arbitrary plugins from the blog. This can be achieved by utilizing the AJAX action cp plugins do button job later callback. The exploitation of this issue could lead to the installation of vulnerable plugins, potentially resulting in more critical vulnerabilities, such as remote code execution (RCE).

Recommendations: For WP Maintenance Mode & Site Under Construction WordPress plugin versions prior to 1.8.2, update to version 1.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the cp plugins do button job later callback AJAX action until a patch is applied.