CVE-2023-2159

low-risk
Published 2023-06-09

The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Maintenance Mode Bypass in versions up to, and including, 4.1.7. A correct cmp_bypass GET parameter in the URL (equal to the md5-hashed home_url in the default setting) allows users to visit a site placed in maintenance mode thus bypassing the plugin's provided feature.

Do I need to act?

-
0.15% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Cmp

Affected Vendors

Niteothemes

References (6)

Exploit https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1....
Patch https://plugins.trac.wordpress.org/changeset/2900571/cmp-coming-soon-maintenance...
Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/af955f69-b18c-446e-b05...
Exploit https://plugins.trac.wordpress.org/browser/cmp-coming-soon-maintenance/tags/4.1....
Patch https://plugins.trac.wordpress.org/changeset/2900571/cmp-coming-soon-maintenance...
Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/af955f69-b18c-446e-b05...
27
/ 100
low-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal