Description

WordPress Plugin Coming Soon & Maintenance Mode Page is prone to a vulnerability that lets remote attackers inject and execute arbitrary code because the application fails to sanitize user-supplied input before being passed to the unserialize() PHP function. Attackers can possibly exploit this issue to execute arbitrary PHP code within the context of the affected webserver process. WordPress Plugin Coming Soon & Maintenance Mode Page version 1.42 is vulnerable; prior versions may also be affected.

Remediation

Disable the plugin until a fix is available

References

https://www.pluginvulnerabilities.com/2018/11/28/it-would-be-a-good-idea-for-wordpress-plugin-developers-to-check-their-plugins-with-our-plugin-security-checker/

Related Vulnerabilities

WordPress Deserialization of Untrusted Data Vulnerability (CVE-2020-28032)

XWiki Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2022-23616)

WordPress Plugin Gutenberg Block Editor Toolkit-EditorsKit Remote Code Execution (1.31.5)

Ruby on Rails Improper Access Control Vulnerability (CVE-2016-6317)

WordPress Plugin WooCommerce Affiliate-Coupon Affiliates Cross-Site Scripting (4.11.0.1)

Severity

High

Classification

CWE-915 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update