CVE-2022-0199

EUVD-2022-15402
The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
Affected Products (NVD)
VendorProductVersion
wpdevartcoming_soon_and_maintenance_mode
𝑥
< 3.6.8
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/changeset/2659455
https://wpscan.com/vulnerability/1ab1748f-c939-4953-83fc-9df878da7714
https://plugins.trac.wordpress.org/changeset/2659455
https://wpscan.com/vulnerability/1ab1748f-c939-4953-83fc-9df878da7714