CVE-2020-36730
📋 TL;DR
The CMP Coming Soon & Maintenance plugin for WordPress has an authorization bypass vulnerability that allows unauthenticated attackers to read posts, export subscriber lists, and deactivate the plugin. This affects all WordPress sites running CMP plugin versions up to and including 3.8.1.
💻 Affected Systems
- CMP - Coming Soon & Maintenance by NiteoThemes
📦 What is this software?
Cmp by Niteothemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract sensitive post content, steal subscriber email lists, and disable the maintenance/coming soon functionality, potentially exposing the site prematurely.
Likely Case
Unauthenticated attackers reading private posts and exporting subscriber email addresses for spam/phishing campaigns.
If Mitigated
Limited impact if plugin is not used for sensitive content or subscriber collection, though authorization bypass remains a concern.
🎯 Exploit Status
Exploitation requires simple HTTP requests to vulnerable endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8.2
Vendor Advisory: https://blog.nintechnet.com/multiple-vulnerabilities-fixed-in-cmp-coming-soon-and-maintenance-plugin/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find CMP - Coming Soon & Maintenance
4. Click 'Update Now' if available
5. Alternatively, download version 3.8.2+ from WordPress repository and manually update
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the CMP plugin until patched
Web application firewall rule
allBlock access to vulnerable endpoints: /wp-admin/admin-ajax.php with cmp_get_post_detail, niteo_export_csv, or cmp_disable_comingsoon_ajax actions
🧯 If You Can't Patch
- Disable the CMP plugin entirely and use alternative maintenance mode solutions
- Implement strict network access controls to limit who can reach the WordPress admin-ajax.php endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for CMP version. If version is 3.8.1 or lower, you are vulnerable.Check Version:
wp plugin list --name='CMP - Coming Soon & Maintenance' --field=versionVerify Fix Applied:
Confirm CMP plugin version is 3.8.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with action parameters containing cmp_get_post_detail, niteo_export_csv, or cmp_disable_comingsoon_ajax from unauthenticated users
Network Indicators:
- Unusual spikes in requests to admin-ajax.php endpoint from external IPs
SIEM Query:
source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND (query="*cmp_get_post_detail*" OR query="*niteo_export_csv*" OR query="*cmp_disable_comingsoon_ajax*")🔗 References
- https://blog.nintechnet.com/multiple-vulnerabilities-fixed-in-cmp-coming-soon-and-maintenance-plugin/
- https://wpscan.com/vulnerability/10341
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-cmp-coming-soon-maintenance-by-niteothemes-security-bypass-3-8-1/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f1ef067b-e4b4-4174-b6ff-ec94a7afd55d?source=cve
- https://blog.nintechnet.com/multiple-vulnerabilities-fixed-in-cmp-coming-soon-and-maintenance-plugin/
- https://wpscan.com/vulnerability/10341
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-cmp-coming-soon-maintenance-by-niteothemes-security-bypass-3-8-1/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f1ef067b-e4b4-4174-b6ff-ec94a7afd55d?source=cve
