CVE-2024-1476 - How the Acurax Under Construction Plugin Exposes WordPress Content (Full Exploit Walkthrough)

The Acurax "Under Construction / Maintenance Mode" is a popular WordPress plugin used by website owners to show a maintenance or "coming soon" page while hiding their main site content from the public. Millions rely on plugins like this to protect their draft or unfinished sites from unwanted viewers.

But in early 2024, security researchers uncovered a severe vulnerability in this plugin: CVE-2024-1476. This weakness exposes sensitive information—such as posts and pages—through the WordPress REST API, even when maintenance mode is active. That means anyone, including unauthenticated (not logged in) attackers, can bypass the plugin's maintenance wall and peek inside!

In this article, I’ll explain exactly how this bug works, show you proof-of-concept code, and link to the original research so you can learn more. If you manage a WordPress site with this plugin, read carefully!

What is CVE-2024-1476?

CVE-2024-1476 is a vulnerability found in *all* versions of the Acurax Under Construction / Maintenance Mode plugin up to and including 2.6. When the plugin is enabled, it’s supposed to block visitors from seeing anything except the maintenance page—unless they’re logged in as admins.

However, the plugin does not block access to the WordPress REST API endpoints. The REST API is a powerful part of modern WordPress that allows users (and plugins or other sites) to programmatically fetch site data—including posts, pages, and more.

So, even with the maintenance mode ON, an attacker can grab your site’s content using simple requests to the REST API!

How is the API Exposed?

A normal visitor who opens the homepage of a site with Acurax maintenance mode turned on might see this:

> "The site is currently under maintenance. Please check back soon."

But if they make an HTTP GET request to the REST API (with a tool like curl, Postman, or even just their browser), they might see all your posts—including private drafts!

Here’s a standard REST API endpoint for posts

GET http://example.com/wp-json/wp/v2/posts

And for pages

GET http://example.com/wp-json/wp/v2/pages

You don’t need to be logged in for normal (published) content. The problem is, when maintenance mode is meant to hide the whole site, these endpoints should be disabled for visitors—but aren’t.

Try this in your terminal (replace [yoursite])

curl -s https://[yoursite]/wp-json/wp/v2/posts

Or, to grab pages

curl -s https://[yoursite]/wp-json/wp/v2/pages

You’ll get a JSON array with the title, content, author, publication date, and more for each post or page.

Example Response

[
  {
    "id": 10,
    "date": "2024-02-15T12:34:56",
    "title": {"rendered": "About Us"},
    "content": {"rendered": "<p>This is a top secret page...</p>"},
    ...
  },
  ...
]

Get a big head start in reconnaissance for further attacks.

It does NOT give attackers admin access or let them edit your content, but it breaks the expectation that everything is hidden. For sites preparing new product launches, private membership sites, or anyone handling sensitive info, this is a disaster.

Why did this Happen?

The problem is simple:
Acurax’s plugin only locks down the site’s visible front-end, and (by default) does nothing to restrict the REST API endpoints. Since WordPress REST API is enabled by default in modern sites, attackers can easily fish out your data using those endpoints.

Plugin authors should have used a hook (like rest_authentication_errors) to block API access when maintenance mode is on.

How to Protect Yourself

1. Deactivate or Remove the Vulnerable Plugin
If you have Acurax Under Construction / Maintenance Mode 2.6 or older, remove or disable it immediately.

2. Use a Better Maintenance Plugin
Look for maintenance-mode plugins that specifically mention API protection, like WP Maintenance Mode (but even then, confirm they block the REST API!).

3. Block the REST API for Non-Admins

Add the following code to your functions.php file to block all REST API use for guests

add_filter('rest_authentication_errors', function( $result ) {
    if ( ! is_user_logged_in() ) {
        return new WP_Error('rest_login_required', 'REST API restricted.', array('status' => 401));
    }
    return $result;
});

Note: This blocks *all* REST API access for non-logged-in users—including legitimate uses like contact forms or Jetpack—so test before deploying.

4. Patch or Monitor for Updates
Check for official fixes from Acurax or look for a patched fork.

References and Further Reading

- Wordfence Advisory: CVE-2024-1476 - Under Construction / Maintenance Mode <= 2.6 - Sensitive Information Exposure
- WPScan: CVE-2024-1476
- Understanding the WordPress REST API
- Plugin on WordPress.org

Final Thoughts

CVE-2024-1476 is a classic case of trusting a site protection plugin to do it all, only to be blindsided by a simple API oversight. Until a patched version comes out, it’s safest to switch plugins or block the REST API as shown. If you found this post helpful, share it with others who run WordPress sites—especially if they use Acurax tools.

Stay safe, and always think like an attacker to protect your site!

Timeline

Published on: 02/28/2024 09:15:42 UTC
Last modified on: 02/28/2024 14:06:45 UTC