Wordfence finds 3 Vulnerabilities in WP Maintenance Mode plugin 2.0.6 and older

WP Maintenance Important Update

Early morning july 6, 2016 WP Maintenance Mode authors released their newest version 2.0.7.

This fixes several major security issues with previous releases and should be upgraded immediately.

Wordfence senior developer Sean Murphy is credited with finding 3 vulnerabilities prior to this that could prove serious to many sites. Premium Wordfence users with the firewall enabled have been protected since we notified the author due to the inclusion of a firewall rule the the Wordfence Threat Defense Feed.

Below is a brief excerpt, Full details on Wordfence blog…

Vulnerability 1: Information Disclosure

CVSS Severity: 4.3 (Medium)

 

This vulnerability allows a remote attacker to download the list of subscribers from WP Maintenance Mode who have asked to be notified when a site returns to full functionality. To exploit this vulnerability, an attacker simply needs to have a registered account on the victim site with no special permissions.

 

Vulnerability 2: Missing Authorization

CVSS Severity: 4.3 (Medium)

 

This vulnerability allows an attacker with a subscriber level account to modify plugin settings.

Vulnerability 3: Remote Code Execution

CVSS Severity: 9.1 (Critical)

 

We’d like to caveat the CVSS score in this case with the description below. The CVSS score for this vulnerability is very high due to the way CVSS calculates vulnerability severity. This is a ‘critical’ vulnerability, but please read the description in the next paragraph to fully understand it’s impact.

Make sure to upgrade your WP maintenance mode plugin on all your sites if you have not already done so. These vulnerabilities could pose a serious risk to your website.

 

Upgraded users of Wordfence should have already been protected but you should update your plugins as well.