CVE-2020-36707
📋 TL;DR
This CSRF vulnerability in the Coming Soon & Maintenance Mode Page WordPress plugin allows attackers to trick administrators into performing unauthorized actions by clicking malicious links. Attackers could change site settings, disable security features, or potentially gain further access. All WordPress sites using this plugin version 1.57 or earlier are affected.
💻 Affected Systems
- WordPress Coming Soon & Maintenance Mode Page plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could completely compromise the WordPress site by changing administrator credentials, installing backdoors, or disabling security plugins, leading to full site takeover.
Likely Case
Attackers would modify plugin settings to disable maintenance mode prematurely, change coming soon page content, or alter site configuration without authorization.
If Mitigated
With proper CSRF protections and user awareness, the risk is limited to unsuccessful exploitation attempts that administrators would notice and report.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators into clicking malicious links, but the technical execution is simple.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.58 or later
Vendor Advisory: https://wordpress.org/plugins/coming-soon-maintenance-mode-page/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Coming Soon & Maintenance Mode Page'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate coming-soon-maintenance-mode-page
Implement CSRF protection middleware
allAdd custom nonce validation to WordPress admin functions
Add wp_verify_nonce() checks in plugin admin functions
🧯 If You Can't Patch
- Implement strict access controls and limit admin panel access to trusted networks only
- Educate administrators about phishing risks and implement mandatory security awareness training
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Coming Soon & Maintenance Mode Page → Version number. If version is 1.57 or lower, you are vulnerable.Check Version:
wp plugin get coming-soon-maintenance-mode-page --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.58 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unexpected plugin setting changes without admin login
- Multiple failed nonce validation attempts in WordPress debug logs
Network Indicators:
- HTTP POST requests to /wp-admin/admin-post.php with suspicious referer headers
- Requests containing plugin-specific parameters from unexpected sources
SIEM Query:
source="wordpress.log" AND ("coming-soon" OR "maintenance-mode") AND ("nonce_failure" OR "csrf")🔗 References
- https://jetpack.com/features/security/library/nifty-coming-soon-and-under-construction-page-plugin/
- https://wpscan.com/vulnerability/aa47a464-af97-43bc-b6cb-75a08ce3ece7
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-coming-soon-maintenance-mode-page-cross-site-request-forgery-1-57/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/59278214-b0ce-44bf-8d8f-265c5c50006a?source=cve
- https://jetpack.com/features/security/library/nifty-coming-soon-and-under-construction-page-plugin/
- https://wpscan.com/vulnerability/aa47a464-af97-43bc-b6cb-75a08ce3ece7
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-coming-soon-maintenance-mode-page-cross-site-request-forgery-1-57/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/59278214-b0ce-44bf-8d8f-265c5c50006a?source=cve
