Unauthenticated Attackers Can Bypass Maintenance Mode in WP Maintenance Plugin
CVE-2024-0789

5.3MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Maintenance
Vendor: CVE Published:; 19 June 2024

Summary

The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass maintenance mode.

Affected Version(s)

WP Maintenance * <= 6.1.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 19, 2024
Vulnerability Reserved
Jan 22, 2024

Credit

Hoa Le Ngoc