Reflected Cross-Site Scripting in Smart Maintenance Mode Plugin for WordPress
CVE-2025-1490

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Smart Maintenance Mode
Vendor: CVE Published:; 26 March 2025

What is CVE-2025-1490?

The Smart Maintenance Mode plugin for WordPress suffers from a Reflected Cross-Site Scripting (XSS) vulnerability due to insufficient sanitization of user inputs, specifically in the ‘setstatus’ parameter. This flaw affects all versions up to and including 1.5.2. Unauthenticated attackers can exploit this vulnerability by crafting malicious links that, when clicked, execute arbitrary web scripts within the user's browser session. This exposure can lead to unauthorized actions and compromise user data, making it critical for users to update to a patched version.

Affected Version(s)

Smart Maintenance Mode * <= 1.5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/smart-maintena...

https://wordpress.org/plugins/smart-maintenance-mode/#dev...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2025
Vulnerability Reserved
Feb 19, 2025

Credit

Krzysztof Zając