Does WP Maintenance have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Maintenance have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Maintenance compatible with WordPress 6.9.4?

According to WordPress.org data, WP Maintenance 6.1.10.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is WP Maintenance updated?

WP Maintenance was last updated on Feb 4, 2026. Frequent updates are generally a positive security signal.

What is WP Maintenance's security score?

WP Maintenance has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Maintenance Security & Risk Analysis

wordpress.org/plugins/wp-maintenance

Create and customize your maintenance page

50K active installs v6.1.10.1 PHP + WP 3.0+ Updated Feb 4, 2026

coming-soonconstructionlaunchmaintenance

A · Safe

CVEs total7

Unpatched0

Last CVEMay 7, 2025

Plugin page Download

Safety Verdict

Is WP Maintenance Safe to Use in 2026?

Generally Safe

Score 91/100

WP Maintenance has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: May 7, 2025Updated 1mo ago

Risk Assessment

The "wp-maintenance" plugin v6.1.10.1 exhibits a mixed security posture. On the positive side, static code analysis reveals strong adherence to secure coding practices. There are no identified dangerous functions, all SQL queries utilize prepared statements, and output escaping is almost universally applied. The plugin also demonstrates a diligent use of nonces and capability checks, indicating an effort to protect against common web vulnerabilities and enforce proper authorization. The attack surface is minimal, with no unprotected entry points detected through AJAX handlers or REST API routes.

However, the plugin's vulnerability history presents a significant concern. A total of seven known CVEs have been recorded, with two high and five medium severity vulnerabilities. The common vulnerability types, including Deserialization of Untrusted Data, Improper Access Control, XSS, and CSRF, suggest recurring weaknesses in how the plugin handles user input and manages access. The fact that the last reported vulnerability was very recent (May 2025) is particularly alarming and suggests a pattern of potential security flaws that may not be entirely remediated. While currently there are no unpatched vulnerabilities, the historical prevalence and types of issues warrant caution.

In conclusion, while the current version of "wp-maintenance" appears to have implemented good defensive coding practices in its static analysis, its historical vulnerability record is a significant red flag. The recurring nature of critical and high-severity vulnerabilities like deserialization and access control issues suggests underlying architectural weaknesses that require careful monitoring and thorough auditing. Users should be aware that despite the apparent clean bill of health in the static analysis, past issues might indicate latent risks or the potential for future discoveries. The presence of shortcodes as an entry point, while currently unprotected by explicit checks in the static analysis, is a minor concern given the overall low attack surface.

Key Concerns

Multiple high and medium severity CVEs in history
Recent vulnerability reported (May 2025)
Common vulnerability types point to recurring issues
Shortcode as an entry point without explicit auth check

Vulnerabilities

WP Maintenance Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

2 CVEs in 2022

2022

1 CVE in 2023

2023

2 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

7 total CVEs

CVE-2025-47683high · 7.2Deserialization of Untrusted Data

WP Maintenance <= 6.1.9.7 - Authenticated (Administrator+) PHP Object Injection

May 7, 2025 Patched in 6.1.9.8 (15d)

CVE-2024-0789medium · 5.3Use of Less Trusted Source

WP Maintenance <= 6.1.9.2 - IP Spoofing to Maintenance Mode Bypass

Jun 18, 2024 Patched in 6.1.9.3 (42d)

CVE-2024-1472medium · 5.3Improper Access Control

WP Maintenance <= 6.1.6 - Information Exposure

Feb 16, 2024 Patched in 6.1.7 (5d)

CVE-2023-47769medium · 5.3Use of Less Trusted Source

WP Maintenance <= 6.1.3 - IP Restriction Bypass

Nov 14, 2023 Patched in 6.1.4 (70d)

CVE-2022-30536medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Maintenance <= 6.0.7 - Authenticated (Admin+) Cross-Site Scripting

Jun 28, 2022 Patched in 6.0.8 (709d)

CVE-2021-36828medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Maintenance <= 6.0.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 15, 2022 Patched in 6.0.6 (647d)

CVE-2019-19979high · 8.8Cross-Site Request Forgery (CSRF)

WP Maintenance <= 5.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Nov 19, 2019 Patched in 5.0.6 (1526d)

Code Analysis

Analyzed Mar 16, 2026

WP Maintenance Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

294 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

98% escaped300 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<wp-maintenance-css> (views\wp-maintenance-css.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Maintenance Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[wpm_social] includes\shortcodes.php:55

WordPress Hooks 14

actiontemplate_redirectclasses\wp-maintenance.php:17

actioninitclasses\wp-maintenance.php:19

actionadmin_menuclasses\wp-maintenance.php:30

filterplugin_action_links_wp-maintenance/wp-maintenance.phpclasses\wp-maintenance.php:31

actionadmin_headclasses\wp-maintenance.php:32

actionadmin_bar_menuclasses\wp-maintenance.php:33

actionadmin_footerclasses\wp-maintenance.php:34

actionadmin_initclasses\wp-maintenance.php:35

actionadmin_initclasses\wp-maintenance.php:36

filterxmlrpc_enabledclasses\wp-maintenance.php:39

filterrest_authentication_errorsclasses\wp-maintenance.php:42

actionadmin_print_footer_scriptsclasses\wp-maintenance.php:471

actionplugins_loadedwp-maintenance.php:47

actioninitwp-maintenance.php:54

Maintenance & Trust

WP Maintenance Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 4, 2026

PHP min version

Downloads1.3M

Community Trust

Rating94/100

Number of ratings98

Active installs50K

Alternatives

WP Maintenance Alternatives

CMP – Coming Soon & Maintenance Plugin by NiteoThemes

cmp-coming-soon-maintenance

Beautiful Coming soon, Maintenance or Landing page on your website, packed with premium features for free.

200K 6 CVEs

Fancy Coming Soon & Maintenance Mode

fancy-coming-soon-maintenance-mode

Fancy Coming soon is a free WordPress plugin that allows you to create coming soon page qucikly via Live Customizer. Easily work on your site while t …

200 No CVEs

Perfect Coming Soon Page

perfect-coming-soon-page

Perfect Coming Soon page enables you to use a light weighted plugin for multiple needs of coming soon,underconstruction or offline mode.

200 No CVEs

TL Coming Soon – Maintenance Mode & Under Construction

tl-coming-soon

Coming Soon, Maintenance Mode and Under Construction plugin for WordPress.

200 No CVEs

Coming Soon Master

coming-soon-master

Coming Soon Master plugin is modern and responsive coming soon, under construction & maintenance plugin to manage your website while it's und …

70 No CVEs

Developer Profile

WP Maintenance Developer Profile

Florent Maillefaud

4 plugins · 59K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

398 days

View full developer profile

Detection Fingerprints

How We Detect WP Maintenance

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-maintenance/assets/css/wp-maintenance.css/wp-content/plugins/wp-maintenance/assets/js/wp-maintenance.min.js

Script Paths

/wp-content/plugins/wp-maintenance/assets/js/wp-maintenance.min.js

Version Parameters

wp-maintenance/assets/css/wp-maintenance.css?ver=wp-maintenance/assets/js/wp-maintenance.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpm-maintenance-pagewpm-countdownwpm-container

HTML Comments

Data Attributes

data-countdown

JS Globals

wpm_maintenance_options

REST Endpoints

/wp-json/wp-maintenance/v1/settings

Shortcode Output

[wpm_countdown][wpm_newsletter_form]

FAQ

WP Maintenance Security & Risk Analysis

Is WP Maintenance Safe to Use in 2026?

Generally Safe

Key Concerns

WP Maintenance Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP Maintenance Code Analysis

Output Escaping

Data Flow Analysis

WP Maintenance Attack Surface

Shortcodes 1

WP Maintenance Maintenance & Trust

Maintenance Signals

Community Trust

WP Maintenance Alternatives

CMP – Coming Soon & Maintenance Plugin by NiteoThemes

Fancy Coming Soon & Maintenance Mode

Perfect Coming Soon Page

TL Coming Soon – Maintenance Mode & Under Construction

Coming Soon Master

WP Maintenance Developer Profile

How We Detect WP Maintenance

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP Maintenance