Vulnerability Details CVE-2024-5087
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 56.3%
CVSS Severity
CVSS v3 Score 6.3
References
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CRLF%20Injection/README.md
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L51
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L52
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L54
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L561
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L585
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L596
- https://plugins.trac.wordpress.org/changeset/3099123/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb?source=cve
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CRLF%20Injection/README.md
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L51
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L52
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L54
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L561
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L585
- https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/tags/2.38/framework/wf-licensing.php#L596
- https://plugins.trac.wordpress.org/changeset/3099123/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/affdaf63-2098-4ad6-b15b-990d1941fecb?source=cve
Products affected by CVE-2024-5087
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:0.1
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:0.2
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:0.3
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:0.4
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:0.5
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.0
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.1
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.2
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.25
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.30
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.35
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.40
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.45
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.50
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.55
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.60
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.62
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.65
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.70
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.80
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.85
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.87
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.90
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:1.95
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.0
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.01
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.05
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.07
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.10
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.15
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.17
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.18
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.19
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.20
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.22
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.25
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.26
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.27
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.30
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.33
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.35
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.36
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.37
-
cpe:2.3:a:webfactoryltd:minimal_coming_soon_&_maintenance_mode:2.38