WordPress Plugin Vulnerabilities

Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)

Description

The includes/mc-get_lists.php file used the 'apiKey' POST parameter to create an https URL from it without sanitisation and called it with cURL, leading to a SSRF issue.

The issue is exploitable via direct access to the affected file, and ucmm_mc_api AJAX call (available to both authenticated and unauthenticated users).

Proof of Concept

Affects Plugins

Plugin icon
under-construction-maintenance-mode
Fixed in 1.1.2

References

URL
https://packetstormsecurity.com/files/#161576/

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mr.F
Verified
Yes
WPVDB ID
24784c84-3efd-4166-81c1-e5a266562cfc

Timeline

Publicly Published
2021-02-27 (about 4 years ago)
Added
2021-02-27 (about 4 years ago)
Last Updated
2021-03-04 (about 4 years ago)

Other

Published
Title
Published
2025-05-07
Title
Solace Extra < 1.3.2 - Authenticated (Subscriber+) Server-Side Request Forgery
Published
2025-06-26
Title
Ninja Tables – Easy Data Table Builder < 5.0.19 - Unauthenticated Server-Side Request Forgery
Published
2018-12-25
Title
JSmol2WP <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF)
Published
2025-04-24
Title
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) < 3.1.3 - Unauthenticated Server-Side Request Forgery via URL Parameter
Published
2024-03-29
Title
Builderall Builder for WordPress < 2.0.2 - Unauthenticated Server-Side Request Forgery