3 Vulnerabilities in WP Maintenance Mode plugin 2.0.6 and older

This morning an update to the WP Maintenance Mode plugin, version 2.0.7, was released which included fixes for 3 security vulnerabilities. According to wordpress.org the plugin is very popular, with over 400,000 active users.  The vulnerabilities were discovered by Sean Murphy, Sr. Developer at Wordfence, and we notified the plugin author last week. A firewall rule was added to the Threat Defense Feed at the time of author notification.

The most serious of the vulnerabilities which impacts WordPress sites with registration enabled, allows an attacker to download a list of subscriber email address from the database. Another vulnerability allows an attacker to modify plugin settings. The WP Maintenance Mode plugin was temporarily removed from the plugin repository during the past week in order to fix these vulnerabilities. It has now been restored.

Vulnerability 1: Information Disclosure

CVSS Severity: 4.3 (Medium)

This vulnerability allows a remote attacker to download the list of subscribers from WP Maintenance Mode who have asked to be notified when a site returns to full functionality. To exploit this vulnerability, an attacker simply needs to have a registered account on the victim site with no special permissions.

Vulnerability 2: Missing Authorization

CVSS Severity: 4.3 (Medium)

This vulnerability allows an attacker with a subscriber level account to modify plugin settings.

Vulnerability 3: Remote Code Execution

CVSS Severity: 9.1 (Critical)

We’d like to caveat the CVSS score in this case with the description below. The CVSS score for this vulnerability is very high due to the way CVSS calculates vulnerability severity. This is a ‘critical’ vulnerability, but please read the description in the next paragraph to fully understand it’s impact.

WP Maintenance Mode allows unsanitized user input to be evaluated as PHP code. In WordPress Multisite, a site administrator could exploit this vulnerability to execute shell commands, access sensitive information, escalate privileges or cause denial of service. To be clear: This means that on a multisite installation of WordPress, a site administrator which only has access to a single site in a network of several websites, can exploit their way to network admin and also gain access to the underlying server to fully control all sites in the network.

To exploit this vulnerability, you have to have ‘site admin’ access to a WordPress multi-site installation. Therefore we don’t expect this vulnerability to have a widespread impact, even though the CVSS score is high. However, we would like to note its severity because if a Network admin encounters a malicious site admin, it can have a severe impact.

What to do

Premium Wordfence customers with the firewall enabled have been protected since last week by the firewall rule that was added when we notified the vendor.

Free Wordfence users who are running the WP Maintenance Mode plugin should upgrade to version 2.0.7 immediately. Our free users will receive the rule to protect against this vulnerability 30 days after our premium customers received the rule – approximately 3 weeks from now.