CVE-2023-2159 in CMP Coming Soon & Maintenance Plugin
Summary
by MITRE • 06/09/2023
The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Maintenance Mode Bypass in versions up to, and including, 4.1.7. A correct cmp_bypass GET parameter in the URL (equal to the md5-hashed home_url in the default setting) allows users to visit a site placed in maintenance mode thus bypassing the plugin's provided feature.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/10/2026
The CVE-2023-2159 vulnerability affects the CMP – Coming Soon & Maintenance plugin for WordPress, specifically targeting versions up to and including 4.1.7. This security flaw represents a critical maintenance mode bypass issue that undermines the fundamental purpose of the plugin's core functionality. The vulnerability stems from a design flaw in how the plugin handles the bypass mechanism, creating an unintended access pathway that allows unauthorized users to circumvent the maintenance mode restrictions. The plugin is designed to hide a website from public view during maintenance periods, but this vulnerability enables direct access to the site content through a simple URL parameter manipulation.
The technical implementation of this vulnerability relies on a predictable parameter-based bypass mechanism where a specific GET parameter named cmp_bypass must be present in the URL. This parameter value must match the MD5 hash of the site's home_url as configured in the default settings of the plugin. The vulnerability exists because the plugin does not properly validate or authenticate requests that contain this bypass parameter, allowing any user who knows or can deduce the hash value to gain immediate access to the maintenance-protected site. This represents a classic case of weak input validation and inadequate access control mechanisms, where the security of the system depends on the secrecy of a hash value rather than proper authentication protocols.
The operational impact of this vulnerability is significant as it completely defeats the purpose of maintenance mode protection that website administrators rely upon for security and privacy. Attackers can exploit this vulnerability to access sensitive content, administrative interfaces, or unpublished material that should remain hidden during maintenance periods. The bypass mechanism essentially creates a backdoor that remains active as long as the vulnerable plugin version is installed, potentially exposing websites to data leakage, unauthorized modifications, or other malicious activities. This vulnerability particularly affects websites that host sensitive information, e-commerce platforms, or sites undergoing critical updates where unauthorized access could result in substantial financial or reputational damage.
Organizations should immediately update to the latest version of the CMP – Coming Soon & Maintenance plugin to remediate this vulnerability, as no effective workarounds exist for the affected versions. The vulnerability aligns with CWE-284 Access Control Issues, specifically representing improper access control where the system fails to properly verify user authorization before granting access. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing techniques, as attackers could potentially discover the bypass hash through various reconnaissance methods or social engineering approaches. Security practitioners should also consider implementing network-level protections such as web application firewalls and monitoring for unusual access patterns that might indicate exploitation attempts. The vulnerability highlights the critical importance of proper input validation and the dangers of relying on hash-based mechanisms for access control rather than implementing robust authentication and authorization frameworks.