WordPress Plugin Vulnerabilities

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd < 5.1.2 - Authenticated Stored Cross Site Scripting (XSS)

Description

Authenticated stored cross-site scripting issues in some of the plugin settings, requiring high privileges.

Proof of Concept

Affects Plugins

Plugin icon
coming-soon
Fixed in 5.1.2

References

CVE
CVE-2020-15038
URL
https://www.getastra.com/blog/911/plugin-exploit/stored-xss-coming-soon-page-maintenance-mode-plugin/
URL
https://www.jinsonvarghese.com/stored-xss-coming-soon-maintenance-mode-wordpress-plugin/
URL
https://wordpress.org/plugins/coming-soon/#developers

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Jinson Varghese Behanan
Submitter
Jinson Varghese Behanan
Submitter website
https://www.jinsonvarghese.com
Submitter twitter
JinsonCyberSec
Verified
Yes
WPVDB ID
378239a5-a7f2-4ccb-bb46-4d2b667fdf16

Timeline

Publicly Published
2020-06-25 (about 5 years ago)
Added
2020-06-25 (about 5 years ago)
Last Updated
2020-06-26 (about 5 years ago)

Other

Published
Title
Published
2025-09-22
Title
DOAJ Export <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2026-02-13
Title
Essential Addons for Elementor < 6.5.10 - Contributor+ Stored XSS
Published
2024-10-09
Title
Restaurant Reservations Widget <= 1.0 - Reflected Cross-Site Scripting
Published
2025-03-18
Title
Stencies <= 0.58 - Reflected Cross-Site Scripting
Published
2023-10-12
Title
Print, PDF, Email by PrintFriendly < 5.5.2 - Admin+ Stored XSS