CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1075 – Minimal Coming Soon – Coming Soon Page <= 2.37 - Unauthenticated Maintenance Mode Bypass
https://notcve.org/view.php?id=CVE-2024-1075
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden. El complemento Minimal Coming Soon – Coming Soon Page para WordPress es vulnerable a la omisión del modo de mantenimiento y a la divulgación de información en todas las versiones hasta la 2.37 incluida. Esto se debe a que el complemento validó incorrectamente la ruta de la solicitud. • https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php#L67 https://plugins.trac.wordpress.org/changeset/3031149/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php https://www.wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07?source=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24533 – Maintenance < 4.03 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24533
The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend El plugin de WordPress Maintenance versiones anteriores a 4.03, no sanea o escapa de algunas de sus configuraciones, permitiendo a usuarios con altos privilegios, como los administradores, ver en ellas cargas útiles de tipo Cross-Site Scripting (incluso cuando la capacidad unfiltered_html está deshabilitada), que serán desencadenadas en el frontend. • https://wpscan.com/vulnerability/174b2119-b806-4da4-a23d-c19b552c86cb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-6166 – Minimal Coming Soon & Maintenance Mode <= 2.16 - Missing Authorization to Export Settings/Theme Change
https://notcve.org/view.php?id=CVE-2020-6166
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes. Un fallo en el plugin de WordPress, Minimal Coming Soon & Maintenance Mode versiones hasta 2.15, permite a usuarios autenticados con acceso básico exportar la configuración y cambiar los temas en el modo de mantenimiento. • https://wordpress.org/plugins/minimal-coming-soon-maintenance-mode/#developers https://wpvulndb.com/vulnerabilities/10009 https://www.wordfence.com/blog/2020/01/multiple-vulnerabilities-patched-in-minimal-coming-soon-maintenance-mode-coming-soon-page-plugin • CWE-276: Incorrect Default Permissions CWE-862: Missing Authorization •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2020-6167 – Minimal Coming Soon & Maintenance Mode <= 2.10 - Cross-Site Request Forgery to Stored Cross-Site Scripting and Setting Changes
https://notcve.org/view.php?id=CVE-2020-6167
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows a CSRF attack to enable maintenance mode, inject XSS, modify several important settings, or include remote files as a logo. Un fallo en el plugin de WordPress, Minimal Coming Soon & Maintenance Mode versiones hasta 2.10, permite un ataque de tipo CSRF para habilitar el modo de mantenimiento, inyectar XSS, modificar varias configuraciones importantes o incluir archivos remotos como un logotipo. • https://wordpress.org/plugins/minimal-coming-soon-maintenance-mode/#developers https://wpvulndb.com/vulnerabilities/10007 https://www.wordfence.com/blog/2020/01/multiple-vulnerabilities-patched-in-minimal-coming-soon-maintenance-mode-coming-soon-page-plugin • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2020-6168 – Minimal Coming Soon & Maintenance Mode <= 2.10 - Missing Authorization
https://notcve.org/view.php?id=CVE-2020-6168
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows authenticated users with basic access to enable and disable maintenance-mode settings (impacting the availability and confidentiality of a vulnerable site, along with the integrity of the setting). Un fallo en el plugin de WordPress, Minimal Coming Soon & Maintenance Mode versiones hasta 2.10, permite a usuarios autenticados con acceso básico habilitar y deshabilitar la configuración del modo de mantenimiento (impactando la disponibilidad y confidencialidad de un sitio vulnerable, junto con la integridad de la configuración). • https://wordpress.org/plugins/minimal-coming-soon-maintenance-mode/#developers https://wpvulndb.com/vulnerabilities/10008 https://www.wordfence.com/blog/2020/01/multiple-vulnerabilities-patched-in-minimal-coming-soon-maintenance-mode-coming-soon-page-plugin • CWE-862: Missing Authorization •