CVE-2024-1075 - OpenCVE

The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Webfactoryltd	Minimal Coming Soon \& Maintenance Mode

Configuration 1 [-]

cpe:2.3:a:webfactoryltd:minimal_coming_soon_\&_maintenance_mode:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php#L67	Product
https://plugins.trac.wordpress.org/changeset/3031149/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07?source=cve	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-02-05T21:21:50.435Z

Updated: 2024-07-05T17:21:34.056Z

Reserved: 2024-01-30T16:21:06.947Z

Link: CVE-2024-1075

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-02-05T22:16:07.283

Modified: 2024-02-13T19:43:13.480

Link: CVE-2024-1075

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1075", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-01-30T16:21:06.947Z", "datePublished": "2024-02-05T21:21:50.435Z", "dateUpdated": "2024-07-05T17:21:34.056Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-02-05T21:21:50.435Z"}, "affected": [{"vendor": "webfactory", "product": "Minimal Coming Soon \u2013 Coming Soon Page", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.37", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Minimal Coming Soon \u2013 Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php#L67"}, {"url": "https://plugins.trac.wordpress.org/changeset/3031149/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-02-05T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1075", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-06T16:10:05.563658Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:34.056Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webfactoryltd:minimal_coming_soon_\\&_maintenance_mode:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5AC7653C-F4C4-44E4-846A-C0C5BF9CC4D4", "versionEndIncluding": "2.37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Minimal Coming Soon \u2013 Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden."}, {"lang": "es", "value": "El complemento Minimal Coming Soon \u2013 Coming Soon Page para WordPress es vulnerable a la omisi\u00f3n del modo de mantenimiento y a la divulgaci\u00f3n de informaci\u00f3n en todas las versiones hasta la 2.37 incluida. Esto se debe a que el complemento valid\u00f3 incorrectamente la ruta de la solicitud. Esto hace posible que atacantes no autenticados omitan el modo de mantenimiento y vean p\u00e1ginas que deber\u00edan estar ocultas."}], "id": "CVE-2024-1075", "lastModified": "2024-02-13T19:43:13.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-02-05T22:16:07.283", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php#L67"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3031149/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}