Lucene search

WordfenceCVELIST:CVE-2019-25139

HistoryJun 07, 2023 - 1:51 a.m.

CVE-2019-25139

2023-06-0701:51:23

Wordfence

www.cve.org

wordpress

coming soon plugin

settings reset

vulnerability

cve-2019-25139

unauthenticated

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

0.001 Low

EPSS

Percentile

46.4%

JSON

The Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to unauthenticated settings reset in versions up to, and including 1.8.1 due to missing capability checks in the ~/functions/data-reset-post.php file which makes it possible for unauthenticated attackers to trigger a plugin settings reset.

CNA Affected

[
  {
    "vendor": "wpshopmart",
    "product": "Coming Soon Page & Maintenance Mode",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.8.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

blog.nintechnet.com/unauthenticated-stored-xss-in-wordpress-coming-soon-page-and-maintenance-mode-plugin/

plugins.trac.wordpress.org/changeset/2121321

plugins.trac.wordpress.org/changeset/2123149

www.wordfence.com/threat-intel/vulnerabilities/id/61fdc6e9-75ea-4226-9527-a5fd02efde70?source=cve

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

0.001 Low

EPSS

Percentile

46.4%

JSON

Related for CVELIST:CVE-2019-25139