Refine your search
2 vulnerabilities found for WP Maintenance Mode & Site Under Construction by wp-buy
CVE-2025-49284 (GCVE-0-2025-49284)
Vulnerability from cvelistv5
Published
2025-06-06 12:53
Modified
2026-04-01 15:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in wp-buy WP Maintenance Mode & Site Under Construction wp-maintenance-mode-site-under-construction allows Cross Site Request Forgery.This issue affects WP Maintenance Mode & Site Under Construction: from n/a through <= 4.3.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wp-buy | WP Maintenance Mode & Site Under Construction |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49284",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T18:59:33.991781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T19:24:12.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-maintenance-mode-site-under-construction",
"product": "WP Maintenance Mode \u0026 Site Under Construction",
"vendor": "wp-buy",
"versions": [
{
"changes": [
{
"at": "4.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Skalucy | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:55.445Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wp-buy WP Maintenance Mode \u0026 Site Under Construction wp-maintenance-mode-site-under-construction allows Cross Site Request Forgery.\u003cp\u003eThis issue affects WP Maintenance Mode \u0026 Site Under Construction: from n/a through \u003c= 4.3.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in wp-buy WP Maintenance Mode \u0026 Site Under Construction wp-maintenance-mode-site-under-construction allows Cross Site Request Forgery.This issue affects WP Maintenance Mode \u0026 Site Under Construction: from n/a through \u003c= 4.3."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:55:12.300Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-maintenance-mode-site-under-construction/vulnerability/wordpress-wp-maintenance-mode-site-under-construction-4-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP Maintenance Mode \u0026 Site Under Construction plugin \u003c= 4.3 - Cross Site Request Forgery (CSRF) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49284",
"datePublished": "2025-06-06T12:53:41.826Z",
"dateReserved": "2025-06-04T09:41:43.867Z",
"dateUpdated": "2026-04-01T15:55:12.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24191 (GCVE-0-2021-24191)
Vulnerability from cvelistv5
Published
2021-05-14 11:38
Modified
2024-08-03 19:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wp-buy | WP Maintenance Mode & Site Under Construction |
Version: 1.8.2 < 1.8.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Maintenance Mode \u0026 Site Under Construction",
"vendor": "wp-buy",
"versions": [
{
"lessThan": "1.8.2",
"status": "affected",
"version": "1.8.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bugbang"
}
],
"descriptions": [
{
"lang": "en",
"value": "Low privileged users can use the AJAX action \u0027cp_plugins_do_button_job_later_callback\u0027 in the WP Maintenance Mode \u0026 Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:16.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Maintenance Mode \u0026 Site Under Construction \u003c 1.8.2 - Arbitrary Plugin Installation/Activation via Low Privilege User",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24191",
"STATE": "PUBLIC",
"TITLE": "WP Maintenance Mode \u0026 Site Under Construction \u003c 1.8.2 - Arbitrary Plugin Installation/Activation via Low Privilege User"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Maintenance Mode \u0026 Site Under Construction",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.2",
"version_value": "1.8.2"
}
]
}
}
]
},
"vendor_name": "wp-buy"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bugbang"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Low privileged users can use the AJAX action \u0027cp_plugins_do_button_job_later_callback\u0027 in the WP Maintenance Mode \u0026 Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/74889e29-5349-43d1-baf5-1622493be90c"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24191",
"datePublished": "2021-05-14T11:38:16.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}