WordPress Plugin Vulnerabilities

Coming Soon, Under Construction & Maintenance Mode By Dazzler < 2.1.3 - Maintenance Mode Bypass

Description

The plugin is vulnerable to maintenance mode bypass due to the plugin relying on the REQUEST_URI to determine if the page being accesses is an admin area. This makes it possible for unauthenticated attackers to bypass maintenance mode and access the site which may be considered confidential when in maintenance mode.

Affects Plugins

Plugin icon
coming-soon-wp
Fixed in 2.1.3

References

CVE
CVE-2024-1181
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc144cd-7119-477f-9fa1-b00cab215077

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
cc61da0c-8457-4a16-b025-080e82450316

Timeline

Publicly Published
2024-03-19 (about 2 years ago)
Added
2024-03-19 (about 2 years ago)
Last Updated
2024-04-01 (about 2 years ago)

Other

Published
Title
Published
2025-12-15
Title
Booking calendar, Appointment Booking System < 3.2.31 - Missing Authorization
Published
2024-01-16
Title
SalesKing < 1.6.30 - Missing Authorization to Settings Change
Published
2025-10-17
Title
WPC Smart Wishlist for WooCommerce < 5.0.5 - Missing Authorization to Authenticated (Subscriber+) Information Exposure
Published
2025-11-22
Title
Timetics < 1.0.45 - Missing Authorization
Published
2025-12-11
Title
Reformer for Elementor <= 1.0.6 - Missing Authorization