Coming Soon Page & Maintenance Mode < 1.8.2 – Unauthenticated Stored XSS | CVE 2019-25140

Affects Plugins

responsive-coming-soon

Fixed in 1.8.2

References

CVE

CVE-2019-25140

URL

https://blog.nintechnet.com/unauthenticated-stored-xss-in-wordpress-coming-soon-page-and-maintenance-mode-plugin/

URL

https://plugins.trac.wordpress.org/changeset/2123149/responsive-coming-soon

URL

https://plugins.trac.wordpress.org/changeset/2121321/responsive-coming-soon

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Submitter

Ryan Dewhurst

Submitter website

https://wpscan.io

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

520b5b84-6538-4832-8216-7258b0d251f7

Timeline

Publicly Published

2019-07-16 (about 6 years ago)

Added

2019-07-16 (about 6 years ago)

Last Updated

2023-06-08 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Dynamic Widgets <= 1.5.1 - Cross-Site Scripting (XSS)

Published

2025-04-20

Title

Boxers and Swipers <= 4.02 - Author+ Stored XSS

Published

2025-01-16

Title

Spiderpowa Embed PDF <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-03

Title

Cf7Save Extension <= 1 - Reflected Cross-Site Scripting

Published

2024-09-26

Title

Terms descriptions < 3.4.8 - Admin+ Stored XSS