Maintenance Mode Bypass Vulnerability in CMP Plugin for WordPress
CVE-2023-2159

5.3MEDIUM

Key Information:

Vendor
Wordpress
Status
CMP – Coming Soon & Maintenance Plugin by NiteoThemes
Vendor
CVE Published:
9 June 2023

Summary

The CMP – Coming Soon & Maintenance plugin for WordPress contains a vulnerability that allows unauthorized users to bypass maintenance mode. This occurs through the misuse of the 'cmp_bypass' GET parameter, which matches a specific md5-hashed home URL. Consequently, this flaw permits access to websites that are supposed to be restricted during maintenance, potentially exposing sensitive data or functionality to unauthorized visitors.

Affected Version(s)

CMP – Coming Soon & Maintenance Plugin by NiteoThemes * <= 4.1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/cmp-coming-soo...
https://plugins.trac.wordpress.org/changeset/2900571/cmp-...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marco Wotschka
.