Description

WordPress Plugin WP Maintenance Mode is prone to multiple vulnerabilities, including security bypass and information disclosure vulnerabilities. An attacker may leverage these issues to perform otherwise restricted actions and subsequently modify plugin settings or to obtain sensitive information that may help in launching further attacks. WordPress Plugin WP Maintenance Mode version 2.0.3 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 2.0.4 or latest

References

https://www.pluginvulnerabilities.com/2016/07/11/protecting-you-against-wordfences-bad-practices-missing-authorization-vulnerability-in-wp-maintenance-mode/

https://www.pluginvulnerabilities.com/2016/07/11/protecting-you-against-wordfences-bad-practices-information-disclosure-vulnerability-in-wp-maintenance-mode/

https://www.pluginvulnerabilities.com/2016/07/11/wordfence-is-either-providing-bad-information-or-taking-credit-for-vulnerabilities-someone-else-discovered/

https://www.wordfence.com/blog/2016/07/3-vulnerabilities-wp-maintenance-mode/

https://wordpress.org/plugins/wp-maintenance-mode/changelog/

Related Vulnerabilities

WordPress Plugin LearnPress-WordPress LMS Security Bypass (3.2.6.8)

ownCloud Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-3834)

Apache Traffic Server Remote DOS Attack (CVE-2021-27737)

WordPress Plugin Salon Booking System Arbitrary File Upload (10.2)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-8625)

Severity

High

Classification

CVE-2018-20154 CVE-2018-20155 CWE-200 CWE-264 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update