CVE-2025-62083

BoomDevs WordPress Coming Soon <= 1.0.4 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The BoomDevs WordPress Coming Soon Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.0.4
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Research Plan
Unverified

This research plan outlines the investigation and exploitation of **CVE-2025-62083**, an unauthenticated information exposure vulnerability in the **BoomDevs WordPress Coming Soon** plugin. ### 1. Vulnerability Summary The BoomDevs WordPress Coming Soon plugin (versions <= 1.0.4) registers one or m…

Show full research plan

This research plan outlines the investigation and exploitation of CVE-2025-62083, an unauthenticated information exposure vulnerability in the BoomDevs WordPress Coming Soon plugin.

1. Vulnerability Summary

The BoomDevs WordPress Coming Soon plugin (versions <= 1.0.4) registers one or more AJAX handlers using the wp_ajax_nopriv_ hook without implementing proper capability checks (current_user_can) or adequate nonce validation. This allows an unauthenticated user to trigger functions that return sensitive data, likely the subscriber email list collected by the coming soon page or plugin configuration settings.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action (Inferred): bwcs_export_subscribers, bwcs_get_subscribers, or bwcs_get_settings. (The prefix bwcs_ is derived from the plugin's "Boom WordPress Coming Soon" naming convention).
  • Method: POST or GET (usually POST for AJAX).
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active. For subscriber exposure, at least one email must have been submitted via the coming soon page.

3. Code Flow (Inferred)

  1. Initialization: During the init or plugins_loaded hook, the plugin registers AJAX actions.
  2. Hook Registration: add_action('wp_ajax_nopriv_bwcs_export_subscribers', '...') is called, mapping a handler function to an unauthenticated AJAX request.
  3. Missing Check: The handler function executes a database query (e.g., SELECT * FROM {$wpdb->prefix}bwcs_subscribers) or retrieves options via get_option().
  4. Exposure: The function outputs the data directly (e.g., via echo or fputcsv) and terminates with wp_die().

4. Nonce Acquisition Strategy

If the plugin attempts to use nonces for these unauthenticated actions, they are typically exposed via wp_localize_script to enable the AJAX functionality on the "Coming Soon" frontend.

Strategy:

  1. Identify Script Object: Grep for wp_localize_script in the plugin directory to find the JavaScript object name (e.g., bwcs_obj, bwcs_vars).
  2. Activate Coming Soon: Ensure the plugin is in "Coming Soon" mode via WP-CLI:
    wp option update bwcs_status 'active' (inferred option name).
  3. Navigate to Homepage: Use browser_navigate to visit the site root.
  4. Extract Nonce: Use browser_eval to extract the nonce:
    browser_eval("window.bwcs_obj?.nonce") or browser_eval("window.bwcs_vars?.ajax_nonce").

Note: If the handler uses wp_ajax_nopriv_ but fails to call check_ajax_referer or wp_verify_nonce, no nonce is required.

5. Exploitation Strategy

  1. Discovery: Use the execution agent to find the exact AJAX action:
    grep -rn "wp_ajax_nopriv_" wp-content/plugins/coming-soon-by-boomdevs/
  2. Identify the Sink: Examine the function associated with the nopriv hook. Check if it returns subscriber data or settings.
  3. Prepare the Request: Construct a POST request to admin-ajax.php.
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Body: action=[ACTION_NAME]&nonce=[NONCE_IF_FOUND]
  4. Execute: Use http_request to send the payload.

6. Test Data Setup

To confirm information exposure, there must be information to expose:

  1. Enable Plugin: wp plugin activate coming-soon-by-boomdevs
  2. Create Custom Table (if needed): If the plugin doesn't auto-create the table, identify the table name from the source and insert a dummy subscriber.
    • Example Table Name: wp_bwcs_subscribers
    • Example Command: wp db query "INSERT INTO wp_bwcs_subscribers (email) VALUES ('victim@example.com')"
  3. Configuration: Ensure the "Coming Soon" mode is toggled ON in the settings so the frontend is accessible.

7. Expected Results

  • Success: The response body contains sensitive data such as a list of email addresses in CSV format, a JSON object containing WordPress settings, or user-related metadata.
  • Response Code: 200 OK.
  • Response Content-Type: Likely text/csv, application/json, or text/html.

8. Verification Steps

  1. Manual Database Comparison: Verify the data returned in the HTTP response matches the data in the database:
    wp db query "SELECT * FROM wp_bwcs_subscribers"
  2. Check for Nonce Enforcement: Retry the request with an invalid nonce or no nonce. If it still returns data, the vulnerability is even more severe (missing nonce check).

9. Alternative Approaches

If the bwcs_export_subscribers action does not exist, look for:

  • Backup/Export Files: Grep for export or download to see if the plugin creates files in wp-content/uploads/ with predictable names.
  • Settings Exposure: Some plugins use a generic "get settings" AJAX action for the admin dashboard but mistakenly hook it to nopriv. Check for actions like bwcs_get_all_options.
  • User Enumeration: Check if the plugin exposes user IDs or names via localized scripts to populate "Author" sections on the coming soon page.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.