WordPress Plugin Vulnerabilities

Under Construction, Coming Soon & Maintenance Mode < 2.1.2 - Cross-Site Request Forgery

Description

The Under Construction, Coming Soon & Maintenance Mode plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
under-construction-maintenance-mode
Fixed in 2.1.2

References

CVE
CVE-2026-34896
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/72fac756-6e43-4880-8328-c023429759f3

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Carlos Ferreira
Verified
No
WPVDB ID
665a2113-1502-4eaa-9a74-60c541e3a5e0

Timeline

Publicly Published
2026-04-07 (about 2 months ago)
Added
2026-04-15 (about 2 months ago)
Last Updated
2026-04-15 (about 2 months ago)

Other

Published
Title
Published
2025-12-07
Title
Salon booking system < 10.30.4 - Cross-Site Request Forgery
Published
2023-02-28
Title
Responsive Vertical Icon Menu < 1.5.9 - Theme Deletion via CSRF
Published
2025-01-16
Title
MDC YouTube Downloader <= 3.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2019-06-27
Title
WP Better Permalinks <= 3.0.4 - CSRF allowing Option Update
Published
2023-10-06
Title
Schedule Posts Calendar < 5.3 - CSRF