CVE-2022-0164

CWE-352 — Cross-Site Request Forgery (CSRF)CWE-862 — Missing Authorization CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 75.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Coming Soon AND Maintenance Mode Wpdevart Coming Soon AND Maintenance Mode

Timeline

PublishedFeb 21

Latest updateFeb 22

Description

The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5unknown/coming_soon_and_maintenance_mode< 3.5.3

▶NVDwpdevart/coming_soon_and_maintenance_mode< 3.5.3

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-f5c9-gcjw-ghvw: The Coming soon and Maintenance mode WordPress plugin before 3↗2022-02-22

▶

CVEList

Coming soon and Maintenance mode < 3.6.7 - Subscriber+ Arbitrary Email Sending to Subscribed Users↗2022-02-21

▶