CVE-2019-25140
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious JavaScript into WordPress sites using the Coming Soon Page & Maintenance Mode plugin. The stored XSS executes when users visit compromised pages, potentially affecting all visitors. WordPress administrators using vulnerable plugin versions are at risk.
💻 Affected Systems
- WordPress Coming Soon Page & Maintenance Mode plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect visitors to phishing sites, or display unwanted advertisements.
If Mitigated
With proper input validation and output escaping, malicious scripts would be neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires no authentication and involves simple parameter manipulation. Public proof-of-concept details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.2 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2123149/responsive-coming-soon
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Coming Soon Page & Maintenance Mode'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.8.2+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the plugin until patched
wp plugin deactivate responsive-coming-soon
Apply input filtering
allAdd custom input validation for affected parameters
Add sanitization filters in theme functions.php: add_filter('pre_update_option_rcsp_logo_url', 'sanitize_text_field');
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads targeting the vulnerable parameters
- Disable public access to the coming soon/maintenance page feature entirely
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Coming Soon Page & Maintenance Mode. If version is 1.8.1 or lower, system is vulnerable.Check Version:
wp plugin get responsive-coming-soon --field=versionVerify Fix Applied:
Confirm plugin version is 1.8.2 or higher. Test parameter inputs with basic XSS payloads to ensure they're properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with parameters: logo_width, logo_height, rcsp_logo_url, home_sec_link_txt, rcsp_headline, rcsp_description containing script tags or JavaScript
Network Indicators:
- HTTP requests with suspicious parameter values containing <script>, javascript:, or encoded payloads
SIEM Query:
source="wordpress.log" AND (parameter="logo_width" OR parameter="logo_height" OR parameter="rcsp_logo_url" OR parameter="home_sec_link_txt" OR parameter="rcsp_headline" OR parameter="rcsp_description") AND (payload="<script" OR payload="javascript:")🔗 References
- https://blog.nintechnet.com/unauthenticated-stored-xss-in-wordpress-coming-soon-page-and-maintenance-mode-plugin/
- https://plugins.trac.wordpress.org/changeset/2121321/responsive-coming-soon
- https://plugins.trac.wordpress.org/changeset/2123149/responsive-coming-soon
- https://www.wordfence.com/threat-intel/vulnerabilities/id/738c6c77-97ef-4e47-9f14-9b73ea425bc2?source=cve
- https://blog.nintechnet.com/unauthenticated-stored-xss-in-wordpress-coming-soon-page-and-maintenance-mode-plugin/
- https://plugins.trac.wordpress.org/changeset/2121321/responsive-coming-soon
- https://plugins.trac.wordpress.org/changeset/2123149/responsive-coming-soon
- https://www.wordfence.com/threat-intel/vulnerabilities/id/738c6c77-97ef-4e47-9f14-9b73ea425bc2?source=cve
