WordPress Plugin Vulnerabilities

CMP – Coming Soon & Maintenance < 4.1.15 - Admin+ Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
cmp-coming-soon-maintenance
Fixed in 4.1.15

References

CVE
CVE-2025-32118
URL
https://patchstack.com/database/wordpress/plugin/cmp-coming-soon-maintenance/vulnerability/wordpress-cmp-coming-soon-maintenance-plugin-4-1-13-remote-code-execution-rce-vulnerability

Miscellaneous

Original Researcher
SavPhill (Savphill)
Verified
No
WPVDB ID
062a66a0-b9ae-4524-818c-12e127186728

Timeline

Publicly Published
2025-04-04 (about 1 year ago)
Added
2025-04-08 (about 1 year ago)
Last Updated
2025-04-30 (about 1 year ago)

Other

Published
Title
Published
2015-07-10
Title
MailCWP 1.100 - Unauthenticated Arbitrary File Upload
Published
2026-03-23
Title
WPBookit Pro <= 1.6.18 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2014-12-08
Title
Gravity Forms <= 1.8.19 - Arbitrary File Upload
Published
2014-08-01
Title
seo-spy-google - ofc_upload_image.php Arbitrary File Upload
Published
2025-05-21
Title
JP Students Result Management System Premium 1.1.7 - Unauthenticated Arbitrary File Upload