CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0164 – Coming soon and Maintenance mode < 3.6.7 - Subscriber+ Arbitrary Email Sending to Subscribed Users
https://notcve.org/view.php?id=CVE-2022-0164
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users El plugin Coming soon y Maintenance mode de WordPress versiones anteriores a 3.6.8, no presenta comprobaciones de autorización y CSRF en su acción coming_soon_send_mail AJAX, permitiendo a cualquier usuario autenticado, con un rol tan bajo como el de suscriptor, enviar correos electrónicos arbitrarios a todos los usuarios suscritos The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users. • https://plugins.trac.wordpress.org/changeset/2655973 https://wpscan.com/vulnerability/942535f9-73bf-4467-872a-20075f03bc51 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0199 – Coming soon and Maintenance mode < 3.6.8 - Arbitrary Email Sending to Subscribed Users via CSRF
https://notcve.org/view.php?id=CVE-2022-0199
The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack El plugin Coming soon y Maintenance mode de WordPress versiones anteriores a 3.6.8, no presenta comprobación CSRF en su acción coming_soon_send_mail AJAX, permitiendo a atacantes hacer que el administrador conectado envíe correos electrónicos arbitrarios a todos los usuarios suscritos por medio de un ataque de tipo CSRF • https://plugins.trac.wordpress.org/changeset/2659455 https://wpscan.com/vulnerability/1ab1748f-c939-4953-83fc-9df878da7714 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24577 – Coming Soon and Maintenance Mode < 3.5.3 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24577
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. El plugin Coming soon y Maintenance mode de WordPress versiones anteriores a 3.5.3, no sanea correctamente las entradas enviadas por los usuarios autenticados cuando se configuran añadiendo o modificando las páginas coming soon o maintenance mode, conllevando a un ataque de tipo XSS almacenado • https://wpscan.com/vulnerability/d453b547-41a8-4a6b-8349-8686b7054805 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •