Minimal Coming Soon – Coming Soon Page < 2.39 – Missing Authorization to Limited Settings Change | CVE 2024-5087 | Plugin Vulnerabilities

Description

The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin.

Affects Plugins

minimal-coming-soon-maintenance-mode

Fixed in 2.39

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Foxyyy

Verified

No

WPVDB ID

bf7efb23-90b9-4340-b094-6352b71f6546

Timeline

Publicly Published

2024-06-07 (about 2 years ago)

Added

2024-06-07 (about 2 years ago)

Last Updated

2024-06-08 (about 2 years ago)

Other

Published

Title

Published

2024-04-12

Title

Ovic Addon Toolkit <= 2.6.1 - Missing Authorization

Published

2025-08-22

Title

WPPizza < 3.19.8.1 - Missing Authorization

Published

2022-03-29

Title

myCred < 2.4.4 - Subscriber+ Import/Export to Email Address Disclosure

Published

2025-07-28

Title

Hydra Booking 1.1.0 - 1.1.18 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function

Published

2024-06-28

Title

Church Admin < 4.4.5 - Missing Authorization