CVE-2022-0188 Scanner

CMP WordPress is a widely used plugin for the WordPress CMS, allowing website administrators to manage coming soon and maintenance page layouts. The plugin is popular among WordPress site owners for its ease of use and flexibility in design customizations. It is primarily used by web developers and administrators who need to put their sites temporarily offline for maintenance. CMP WordPress is often deployed in various web environments, ranging from personal blogs to large corporate websites. It provides features such as subscriber management, access control, and customizable themes. The plugin is distributed via the WordPress plugin repository and is frequently updated for new features and security improvements.

The broken access control vulnerability, in this case, is due to the plugin's failure to enforce proper permissions on the coming soon page feature. This flaw allows unauthenticated users to change the page layout, which can lead to various issues such as website defacement. Broken access control vulnerabilities are a common security issue, whereby users gain permissions they shouldn't have, leading to potentially severe security breaches. They are typically caused by incorrect or missing access control checks in the application's code. This particular vulnerability can be exploited without authentication, making it a critical issue for websites using the affected versions of the CMP WordPress plugin. Ensuring that access controls are correctly configured and implemented is essential to protect web applications from such vulnerabilities.

The vulnerability is present in the CMP WordPress plugin version 4.0.19 and earlier, specifically within the coming soon page feature. The technical flaw lies in the insufficient checking of user privileges, allowing unauthenticated users to access and modify settings intended only for site administrators. Attackers can exploit this vulnerability via a POST request to the affected endpoint. By doing so, they can alter the design and content of the "Coming Soon" page, affecting how site visitors perceive the website. The manipulation of the layout does not require valid credentials, thus enabling any remote user to exploit the flaw with the correct request parameters.

If exploited, this vulnerability can lead to misleading or defacement of a website's upcoming "Coming Soon" page. Attackers could potentially mislead visitors or damage the credibility of a website. Besides aesthetic damage, there could be financial or reputational repercussions for website owners. In more severe cases, a manipulated page could be used for phishing attacks or to distribute malware. Therefore, timely remediation of this vulnerability is critical to maintaining the integrity and security of affected websites. Users might find themselves victims of scams or malicious software if they interact with a compromised page.

REFERENCES

• https://wpscan.com/vulnerability/50b6f770-6f53-41ef-b2f3-2a58e9afd332/