Minimal Coming Soon – Coming Soon Page Vulnerability – Missing Authorization to Limited Settings Change – CVE-2024-5087 | WordPress Plugin Vulnerability Report
Plugin Name: Minimal Coming Soon – Coming Soon Page
Key Information:
- Software Type: Plugin
- Software Slug: minimal-coming-soon-maintenance-mode
- Software Status: Active
- Software Author: webfactory
- Software Downloads: 2,009,191
- Active Installs: 100,000
- Last Updated: June 19, 2024
- Patched Versions: 2.39
- Affected Versions: <= 2.38
Vulnerability Details:
- Name: Minimal Coming Soon – Coming Soon Page <= 2.38
- Title: Missing Authorization to Limited Settings Change
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- CVE: CVE-2024-5087
- CVSS Score: 6.3
- Publicly Published: June 7, 2024
- Researcher: Foxyyy
- Description: The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This allows authenticated attackers, with Subscriber-level access and above, to edit the license key, potentially disabling plugin features.
Summary:
The Minimal Coming Soon – Coming Soon Page plugin for WordPress has a vulnerability in versions up to and including 2.38 that allows authenticated attackers with Subscriber-level access and above to modify the plugin's settings, including the license key. This vulnerability has been patched in version 2.39.
Detailed Overview:
The vulnerability arises from the plugin's failure to enforce proper authorization checks on critical AJAX functions. Specifically, the validate_ajax, deactivate_ajax, and save_ajax functions lack adequate capability verification, enabling unauthorized users to manipulate sensitive settings such as the license key. Exploitation of this flaw could result in the disabling of essential plugin functionalities, affecting the operational integrity of WordPress sites.
Advice for Users:
Immediate Action: Users are strongly advised to update the
Minimal Coming Soon – Coming Soon Page plugin to version 2.39 or later immediately to mitigate the risk of unauthorized settings modification.
Check for Signs of Vulnerability: Monitor plugin settings and functionality for any unexpected changes, especially related to the license key and plugin features.
Alternate Plugins: Consider temporarily deactivating the plugin until the update is applied or exploring alternative plugins that offer similar functionality.
Stay Updated: Regularly update all WordPress plugins to their latest versions to prevent vulnerabilities and maintain site security.
Conclusion:
The prompt response from the Minimal Coming Soon – Coming Soon Page plugin developers in releasing version 2.39 underscores the critical importance of timely updates in maintaining WordPress site security. Users are urged to ensure they are running version 2.39 or higher to safeguard their WordPress installations against potential exploits.
References:
Detailed Report:
In today’s digital landscape, maintaining the security of your website is non-negotiable. As cyber threats continue to evolve, the importance of keeping your software up to date cannot be overstated. Recently, a critical vulnerability has surfaced in the Minimal Coming Soon – Coming Soon Page plugin for WordPress, underscoring the urgent need for proactive security measures.
Summary:
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable in versions up to and including 2.38, where unauthorized users can exploit insecure AJAX functions to alter critical settings. This flaw has been remediated in version 2.39.
Detailed Overview:
The vulnerability exposes a flaw in the plugin’s authorization mechanisms, specifically in its handling of AJAX requests. By exploiting this weakness, attackers can tamper with essential plugin configurations, such as altering the license key or disabling critical features. Such unauthorized modifications can disrupt site functionality or compromise sensitive information stored within the plugin’s settings.
Stay Updated:
Maintaining the security of your WordPress site requires proactive vigilance. Ensure all plugins, themes, and the core installation are regularly updated to mitigate potential vulnerabilities and safeguard your website against cyber threats.
Conclusion:
The proactive release of version 2.39 by the developers of Minimal Coming Soon – Coming Soon Page demonstrates their commitment to addressing security vulnerabilities promptly. For small business owners and website administrators, staying informed about vulnerabilities and promptly applying updates is crucial to maintaining the integrity and security of their WordPress sites.
Previous vulnerabilities:
Since December 18, 2019, there have been 6 prior vulnerabilities identified in the plugin, highlighting the ongoing need for proactive security measures and diligent maintenance of WordPress installations.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.