WordPress Coming Soon Page & Maintenance Mode Information Disclosure Scanner

WordPress Coming Soon Page & Maintenance Mode is a popular plugin used by website administrators to create temporary landing pages or maintenance modes. This plugin helps site owners to communicate updates or announcements while preventing visitors from accessing the main website. It is widely utilized by developers and web designers when performing site updates or redesigns to ensure a professional appearance during such activities. The plugin comes with customizable templates and easy settings to accommodate a wide variety of website needs.

The vulnerability associated with this plugin involves the exposure of sensitive server path information. Since some files within the plugin are publicly accessible without proper ABSPATH protection, the plugin is prone to full path disclosure through PHP error messages. This kind of vulnerability allows attackers to gather sensitive software path information, which is helpful for orchestrating further attacks.

Technical details of this vulnerability concern unprotected access to the plugin's PHP files. Specifically, accessing certain plugin files directly results in PHP error messages containing path information. The vulnerable endpoint involves files within the directory '/wp-content/plugins/responsive-coming-soon/'. Triggers such as "Fatal error" and "Call to undefined function" indicate exploitation of this issue.

Exploitation of this vulnerability can lead to exposure of sensitive path information, which can be used to facilitate further attacks, such as local file inclusion or server-side request forgery. Disclosing path details could also aid attackers in gaining access to sensitive areas of the server or leveraging the environment for deploying malware.

REFERENCES

• https://wordpress.org/plugins/responsive-coming-soon/