CVE-2022-0164 in Coming Soon and Maintenance Mode Plugin
Summary
by MITRE • 02/21/2022
The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/25/2022
The vulnerability identified as CVE-2022-0164 affects the Coming soon and Maintenance mode WordPress plugin version 3.6.7 and earlier, presenting a critical security flaw that undermines the plugin's authorization mechanisms. This issue stems from the absence of proper access controls and cross-site request forgery protections within the coming_soon_send_mail AJAX action endpoint. The flaw allows any authenticated WordPress user regardless of their role privileges to exploit this functionality, making it particularly concerning as even low-privilege subscribers can leverage this vulnerability. The vulnerability directly violates fundamental security principles by permitting unauthorized email broadcasting capabilities that should be restricted to administrators or authorized personnel only.
The technical implementation of this vulnerability resides in the plugin's AJAX handler which fails to validate user permissions before executing the email sending functionality. This represents a classic authorization bypass vulnerability that falls under CWE-863, which addresses "Incorrect Authorization" in software systems. The absence of CSRF token validation further compounds the risk by allowing attackers to craft malicious requests that can be executed without the user's knowledge or consent. The AJAX endpoint lacks proper input sanitization and validation mechanisms that would normally be present in secure web applications, creating an attack surface where any authenticated user can trigger the email sending process.
The operational impact of this vulnerability extends beyond simple spamming capabilities as it enables potential abuse for social engineering attacks, phishing campaigns, or information disclosure. An attacker with subscriber-level privileges can leverage this flaw to send mass emails to all subscribed users, potentially including sensitive information or misleading content that could compromise user trust and security. The vulnerability can be exploited through various attack vectors including compromised user accounts or by enticing users to click malicious links that trigger the AJAX action. This represents a significant risk for WordPress sites that rely on the plugin for maintenance or coming soon functionality, as it creates an unintended communication channel that bypasses normal email distribution controls and user consent mechanisms.
Mitigation strategies for CVE-2022-0164 should prioritize immediate patching of the plugin to version 3.6.8 or later, which contains the necessary authorization and CSRF protection fixes. Administrators should also implement additional monitoring of email sending activities within their WordPress installations to detect unusual patterns that might indicate exploitation attempts. The vulnerability demonstrates the importance of implementing proper security controls even for seemingly benign features like email notifications, as highlighted by ATT&CK technique T1566 which covers social engineering attacks through phishing. Organizations should conduct comprehensive security reviews of all WordPress plugins to ensure proper authorization checks and CSRF protection mechanisms are in place, particularly for AJAX endpoints that handle user data or system functionality. Regular security audits and penetration testing should be performed to identify similar authorization bypass vulnerabilities that could compromise the overall security posture of WordPress installations.