WordPress Plugin Vulnerabilities

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd < 5.1.2 - Authenticated Stored Cross Site Scripting (XSS)

Description

Authenticated stored cross-site scripting issues in some of the plugin settings, requiring high privileges.

Proof of Concept

Affects Plugins

Plugin icon
coming-soon
Fixed in 5.1.2

References

CVE
CVE-2020-15038
URL
https://www.getastra.com/blog/911/plugin-exploit/stored-xss-coming-soon-page-maintenance-mode-plugin/
URL
https://www.jinsonvarghese.com/stored-xss-coming-soon-maintenance-mode-wordpress-plugin/
URL
https://wordpress.org/plugins/coming-soon/#developers

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Jinson Varghese Behanan
Submitter
Jinson Varghese Behanan
Submitter website
https://www.jinsonvarghese.com
Submitter twitter
JinsonCyberSec
Verified
Yes
WPVDB ID
378239a5-a7f2-4ccb-bb46-4d2b667fdf16

Timeline

Publicly Published
2020-06-25 (about 5 years ago)
Added
2020-06-25 (about 5 years ago)
Last Updated
2020-06-26 (about 5 years ago)

Other

Published
Title
Published
2025-04-18
Title
SB Chart block < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter
Published
2025-04-10
Title
WP Maps < 4.7.2 - Admin+ Stored XSS
Published
2026-02-24
Title
Secure Copy Content Protection and Content Locking < 5.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute
Published
2024-04-30
Title
RegistrationMagic < 5.3.2.1 - Reflected Cross-Site Scripting
Published
2024-11-08
Title
Posts Search <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting