CVE-2022-0164: CSRF
First published: Mon Feb 21 2022(Updated: )
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users
Credit: contact@wpscan.com contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Wpdevart Coming Soon And Maintenance Mode | <3.5.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-0164?
CVE-2022-0164 is a vulnerability in the Coming soon and Maintenance mode WordPress plugin that allows authenticated users to send arbitrary emails to all subscribed users.
What is the severity of CVE-2022-0164?
CVE-2022-0164 has a severity level of medium, with a severity value of 4.3.
How does CVE-2022-0164 affect the Coming soon and Maintenance mode WordPress plugin?
CVE-2022-0164 affects the Coming soon and Maintenance mode WordPress plugin version up to and exclusive to 3.5.3.
Are there any fixes or patches available for CVE-2022-0164?
Yes, a fix for CVE-2022-0164 is available in version 3.5.3 of the Coming soon and Maintenance mode WordPress plugin.
Where can I find more information about CVE-2022-0164?
You can find more information about CVE-2022-0164 at the following references: [Reference 1](https://plugins.trac.wordpress.org/changeset/2655973), [Reference 2](https://wpscan.com/vulnerability/942535f9-73bf-4467-872a-20075f03bc51).
- collector/nvd-api
- collector/nvd-index
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- vendor/wpdevart
- canonical/wpdevart coming soon and maintenance mode