CVE-2026-27368 – This CVE describes a Missing Authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in SeedProd's WordPress plugin that allows attackers to bypass access controls. It affects all WordPress sites using the SeedProd Coming Soon Page, Under Construction & Maintenance Mode plugin versions up to and including 6.19.7. Attackers can exploit incorrectly configured access control security levels to perform unauthorized actions.

💻 Affected Systems

Products:

SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd

Versions: n/a through <= 6.19.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using vulnerable plugin versions regardless of configuration

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover, data exfiltration, or defacement through unauthorized administrative actions

🟠

Likely Case

Unauthorized content modification, settings changes, or access to restricted functionality

🟢

If Mitigated

Limited impact with proper network segmentation and additional authentication layers

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and accessible via web interfaces

🏢 Internal Only: MEDIUM - Internal systems may still be vulnerable if the plugin is installed internally

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization vulnerabilities typically require minimal technical skill to exploit once discovered

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 6.19.7

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/coming-soon/vulnerability/wordpress-coming-soon-page-under-construction-maintenance-mode-by-seedprod-plugin-6-19-7-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find SeedProd Coming Soon Page plugin
4. Click 'Update Now' if available
5. Alternatively, download version >6.19.7 from WordPress repository
6. Deactivate and delete old version
7. Upload and activate new version

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the SeedProd plugin until patched

wp plugin deactivate coming-soon

Implement web application firewall rules

all

Block suspicious requests to plugin endpoints

🧯 If You Can't Patch

Disable the SeedProd plugin completely and use alternative maintenance mode solutions
Implement network-level access controls to restrict access to WordPress admin interfaces

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for SeedProd Coming Soon Page version

Check Version:

wp plugin get coming-soon --field=version

Verify Fix Applied:

Verify plugin version is >6.19.7 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to plugin admin endpoints
Unexpected modifications to plugin settings or content

Network Indicators:

Unusual traffic patterns to /wp-content/plugins/coming-soon/ endpoints
Requests bypassing normal authentication flows

SIEM Query:

source="wordpress.log" AND (uri="/wp-admin/admin-ajax.php" OR uri CONTAINS "/coming-soon/") AND status=200 AND user="-"

📊 Metadata

CVE ID: CVE-2026-27368

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: February 19, 2026

Last Updated: February 25, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/coming-soon/vulnerability/wordpress-coming-soon-page-under-construction-maintenance-mode-by-seedprod-plugin-6-19-7-broken-access-control-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27368, you might also want to check these: