CVE-2024-1075 – Minimal Coming Soon – Coming Soon Page <= 2.37 - Unauthenticated Maintenance Mode Bypass
https://notcve.org/view.php?id=CVE-2024-1075
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden. El complemento Minimal Coming Soon – Coming Soon Page para WordPress es vulnerable a la omisión del modo de mantenimiento y a la divulgación de información en todas las versiones hasta la 2.37 incluida. Esto se debe a que el complemento validó incorrectamente la ruta de la solicitud. • https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php#L67 https://plugins.trac.wordpress.org/changeset/3031149/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php https://www.wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07?source=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2020-6166 – Minimal Coming Soon & Maintenance Mode <= 2.16 - Missing Authorization to Export Settings/Theme Change
https://notcve.org/view.php?id=CVE-2020-6166
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes. Un fallo en el plugin de WordPress, Minimal Coming Soon & Maintenance Mode versiones hasta 2.15, permite a usuarios autenticados con acceso básico exportar la configuración y cambiar los temas en el modo de mantenimiento. • https://wordpress.org/plugins/minimal-coming-soon-maintenance-mode/#developers https://wpvulndb.com/vulnerabilities/10009 https://www.wordfence.com/blog/2020/01/multiple-vulnerabilities-patched-in-minimal-coming-soon-maintenance-mode-coming-soon-page-plugin • CWE-276: Incorrect Default Permissions CWE-862: Missing Authorization •
CVE-2020-6167 – Minimal Coming Soon & Maintenance Mode <= 2.10 - Cross-Site Request Forgery to Stored Cross-Site Scripting and Setting Changes
https://notcve.org/view.php?id=CVE-2020-6167
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows a CSRF attack to enable maintenance mode, inject XSS, modify several important settings, or include remote files as a logo. Un fallo en el plugin de WordPress, Minimal Coming Soon & Maintenance Mode versiones hasta 2.10, permite un ataque de tipo CSRF para habilitar el modo de mantenimiento, inyectar XSS, modificar varias configuraciones importantes o incluir archivos remotos como un logotipo. • https://wordpress.org/plugins/minimal-coming-soon-maintenance-mode/#developers https://wpvulndb.com/vulnerabilities/10007 https://www.wordfence.com/blog/2020/01/multiple-vulnerabilities-patched-in-minimal-coming-soon-maintenance-mode-coming-soon-page-plugin • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-6168 – Minimal Coming Soon & Maintenance Mode <= 2.10 - Missing Authorization
https://notcve.org/view.php?id=CVE-2020-6168
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows authenticated users with basic access to enable and disable maintenance-mode settings (impacting the availability and confidentiality of a vulnerable site, along with the integrity of the setting). Un fallo en el plugin de WordPress, Minimal Coming Soon & Maintenance Mode versiones hasta 2.10, permite a usuarios autenticados con acceso básico habilitar y deshabilitar la configuración del modo de mantenimiento (impactando la disponibilidad y confidencialidad de un sitio vulnerable, junto con la integridad de la configuración). • https://wordpress.org/plugins/minimal-coming-soon-maintenance-mode/#developers https://wpvulndb.com/vulnerabilities/10008 https://www.wordfence.com/blog/2020/01/multiple-vulnerabilities-patched-in-minimal-coming-soon-maintenance-mode-coming-soon-page-plugin • CWE-862: Missing Authorization •