WordPress Plugin Vulnerabilities

CMP - Coming Soon & Maintenance < 3.8.2 - Improper Access Controls on AJAX Calls

Description

Some of the AJAX calls from the plugin do not properly check for capabilities and CSRF tokens, leading to issues such as arbitrary post read, subscribers list export and plugin deactivation.

Affects Plugins

Plugin icon
cmp-coming-soon-maintenance
Fixed in 3.8.2

References

CVE
CVE-2020-36730
URL
https://blog.nintechnet.com/multiple-vulnerabilities-fixed-in-cmp-coming-soon-and-maintenance-plugin/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet)
Verified
No
WPVDB ID
f820452e-37f5-44b9-a232-11d9b91bec3b

Timeline

Publicly Published
2020-08-04 (about 5 years ago)
Added
2020-08-04 (about 5 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2021-05-26
Title
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Export
Published
2024-06-05
Title
The Moneytizer < 10.0.1 - Cross-Site Request Forgery via multiple AJAX actions
Published
2023-06-02
Title
Page Builder by AZEXO <= 1.27.133 - Subscriber+ Post Creation
Published
2024-04-17
Title
Backup Migration < 1.4.4 - Information Exposure via Log Files
Published
2024-02-19
Title
Schema & Structured Data for WP & AMP < 1.27 - Contributor+ reCaptcha Key Update