CVE-2024-5087

The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin.
References
Link Resource
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CRLF%20Injection/README.md Not Applicable
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L51 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L52 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L54 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L561 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L585 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L596 Product
https://plugins.trac.wordpress.org/changeset/3099123/ Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb?source=cve Third Party Advisory
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CRLF%20Injection/README.md Not Applicable
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L51 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L52 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L54 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L561 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L585 Product
https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L596 Product
https://plugins.trac.wordpress.org/changeset/3099123/ Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:webfactoryltd:minimal_coming_soon_\&_maintenance_mode:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 09:46

Type Values Removed Values Added
References () https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CRLF%20Injection/README.md - Not Applicable () https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CRLF%20Injection/README.md - Not Applicable
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L51 - Product () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L51 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L52 - Product () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L52 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L54 - Product () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L54 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L561 - Product () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L561 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L585 - Product () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L585 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L596 - Product () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L596 - Product
References () https://plugins.trac.wordpress.org/changeset/3099123/ - Patch () https://plugins.trac.wordpress.org/changeset/3099123/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb?source=cve - Third Party Advisory
CVSS v2 : unknown
v3 : 5.4
v2 : unknown
v3 : 6.3

31 Oct 2024, 18:26

Type Values Removed Values Added
First Time Webfactoryltd minimal Coming Soon \& Maintenance Mode
Webfactoryltd
CWE CWE-862
CVSS v2 : unknown
v3 : 6.3
v2 : unknown
v3 : 5.4
Summary
  • (es) El complemento Minimal Coming Soon – Coming Soon Page para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en las funciones validar_ajax, desactivar_ajax y guardar_ajax en todas las versiones hasta la 2.38 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, editen la clave de licencia, lo que podría deshabilitar las funciones del complemento.
CPE cpe:2.3:a:webfactoryltd:minimal_coming_soon_\&_maintenance_mode:*:*:*:*:*:wordpress:*:*
References () https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CRLF%20Injection/README.md - () https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CRLF%20Injection/README.md - Not Applicable
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L51 - () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L51 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L52 - () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L52 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L54 - () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L54 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L561 - () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L561 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L585 - () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L585 - Product
References () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L596 - () https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L596 - Product
References () https://plugins.trac.wordpress.org/changeset/3099123/ - () https://plugins.trac.wordpress.org/changeset/3099123/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb?source=cve - Third Party Advisory

08 Jun 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-08 06:15

Updated : 2024-11-21 09:46


NVD link : CVE-2024-5087

Mitre link : CVE-2024-5087

CVE.ORG link : CVE-2024-5087


JSON object : View

Products Affected

webfactoryltd

  • minimal_coming_soon_\&_maintenance_mode
CWE
CWE-862

Missing Authorization