CVE-2023-2159
published 2023-06-09CVE-2023-2159: The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Maintenance Mode Bypass in versions up to, and including, 4.1.7. A correct cmp_bypass…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.77%
51.1th percentile
The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Maintenance Mode Bypass in versions up to, and including, 4.1.7. A correct cmp_bypass GET parameter in the URL (equal to the md5-hashed home_url in the default setting) allows users to visit a site placed in maintenance mode thus bypassing the plugin's provided feature.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| niteo | cmp_coming_soon_maintenance_plugin_by_niteothemes | <= 4.1.7 | — |
| niteothemes | cmp | < 4.1.8 | 4.1.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
CMP Coming Soon & Maintenance Plugin up to 4.1.7 on WordPress Maintenance Mode access control
vuldb·2026-04-10·CVSS 5.3
CVE-2023-2159 [MEDIUM] CMP Coming Soon & Maintenance Plugin up to 4.1.7 on WordPress Maintenance Mode access control
A vulnerability classified as critical was found in CMP Coming Soon & Maintenance Plugin up to 4.1.7 on WordPress. This issue affects some unknown processing of the component Maintenance Mode. The manipulation results in improper access controls.
This vulnerability is identified as CVE-2023-2159. The attack can be executed remotely. There is not any exploit available.
GHSA
GHSA-vw9j-prfj-jvhh: The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Maintenance Mode Bypass in versions up to, and including, 4
ghsa_unreviewed·2023-07-06
CVE-2023-2159 [MEDIUM] CWE-284 GHSA-vw9j-prfj-jvhh: The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Maintenance Mode Bypass in versions up to, and including, 4
The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Maintenance Mode Bypass in versions up to, and including, 4.1.7. A correct cmp_bypass GET parameter in the URL (equal to the md5-hashed home_url in the default setting) allows users to visit a site placed in maintenance mode thus bypassing the plugin's provided feature.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.6/niteo-cmp.php#L808https://plugins.trac.wordpress.org/changeset/2900571/cmp-coming-soon-maintenance/tags/4.1.8/cmp-advanced.php?old=2873620&old_path=cmp-coming-soon-maintenance%2Ftags%2F4.1.7%2Fcmp-advanced.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/af955f69-b18c-446e-b05e-6a57a5f16dfa?source=cvehttps://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1.6/niteo-cmp.php#L808https://plugins.trac.wordpress.org/changeset/2900571/cmp-coming-soon-maintenance/tags/4.1.8/cmp-advanced.php?old=2873620&old_path=cmp-coming-soon-maintenance%2Ftags%2F4.1.7%2Fcmp-advanced.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/af955f69-b18c-446e-b05e-6a57a5f16dfa?source=cve
2023-06-09
Published