CVE-2024-5087 Information

Description

The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax deactivate_ajax and save_ajax functions in all versions up to and including 2.38. This makes it possible for authenticated attackers with Subscriber-level access and above to edit the license key which could disable features of the plugin.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Reference

https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb?source=cve https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L51 https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L52 https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L54 https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L561 https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L585 https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L596 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CRLF%20Injection/README.md https://plugins.trac.wordpress.org/changeset/3099123/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

6.3