PT-2022-13005 · WordPress · Wp Maintenance Mode & Coming Soon
Krzysztof Zając
·
Published
2022-02-21
·
Updated
2023-08-02
·
CVE-2022-0164
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Coming soon and Maintenance mode WordPress plugin version 3.5.2 and earlier
Description
The issue concerns a lack of authorization and CSRF checks in the
coming soon send mail AJAX action. This allows any authenticated users, even those with a role as low as subscriber, to send arbitrary emails to all subscribed users.Recommendations
For versions prior to 3.5.3, update to version 3.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the
coming soon send mail AJAX action to prevent unauthorized email sending.Exploit
Fix
Missing Authorization
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wp Maintenance Mode & Coming Soon