WordPress Plugin Vulnerabilities

WP Maintenance < 6.1.7 - Information Exposure

Description

The WP Maintenance plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.1.6 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's maintenance mode obtain post and page content via REST API.

Affects Plugins

Plugin icon
wp-maintenance
Fixed in 6.1.7

References

CVE
CVE-2024-1472
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/645328f3-2bcb-4287-952c-2e23ec57bb4e

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
83d96d31-8ae6-4ba5-9972-299c36513431

Timeline

Publicly Published
2024-02-16 (about 2 months ago)
Added
2024-02-16 (about 2 months ago)
Last Updated
2024-02-16 (about 2 months ago)

Other

Published
Title
Published
2023-08-14
Title
Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access
Published
2024-02-08
Title
Event Tickets Plus < 5.9.1 - Contributor+ Attendees Lists Disclosure
Published
2024-03-19
Title
Combo Blocks < 2.2.76 - Unauthenticated Password Protected Posts Access
Published
2021-11-03
Title
Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Elementor Template Import
Published
2020-08-03
Title
Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download