{"api_version":"1","generated_at":"2026-04-10T22:00:04+00:00","cve":"CVE-2019-25140","urls":{"html":"https://cve.report/CVE-2019-25140","api":"https://cve.report/api/cve/CVE-2019-25140.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-25140","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-25140"},"summary":{"title":"Coming Soon Page & Maintenance Mode <= 1.8.1 - Stored Cross Site Scripting","description":"The WordPress Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logo_width, logo_height, rcsp_logo_url, home_sec_link_txt, rcsp_headline and rcsp_description parameters in versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2023-06-07 02:15:10","updated_at":"2026-04-08 18:17:03"},"problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"7.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","data":{"baseScore":7.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://blog.nintechnet.com/unauthenticated-stored-xss-in-wordpress-coming-soon-page-and-maintenance-mode-plugin/","name":"https://blog.nintechnet.com/unauthenticated-stored-xss-in-wordpress-coming-soon-page-and-maintenance-mode-plugin/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"Unauthenticated Stored XSS in WordPress Coming Soon Page and Maintenance Mode plugin. – NinTechNet","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/738c6c77-97ef-4e47-9f14-9b73ea425bc2?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/738c6c77-97ef-4e47-9f14-9b73ea425bc2?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory"],"title":"Coming Soon Page & Maintenance Mode <= 1.8.1 - Stored Cross Site Scripting","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://plugins.trac.wordpress.org/changeset/2121321/responsive-coming-soon","name":"https://plugins.trac.wordpress.org/changeset/2121321/responsive-coming-soon","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://plugins.trac.wordpress.org/changeset/2123149/responsive-coming-soon","name":"https://plugins.trac.wordpress.org/changeset/2123149/responsive-coming-soon","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-25140","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25140","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"wpshopmart","product":"Coming Soon Page & Maintenance Mode","version":"affected 1.8.2 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2019-07-16T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Jerome Bruandet","lang":"en"}],"nvd_cpes":[{"cve_year":"2019","cve_id":"25140","vulnerable":"1","versionEndIncluding":"1.8.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wpshopmart","cpe5":"coming_soon_page_\\&_maintenance_mode","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-05T03:00:19.302Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/738c6c77-97ef-4e47-9f14-9b73ea425bc2?source=cve"},{"tags":["x_transferred"],"url":"https://blog.nintechnet.com/unauthenticated-stored-xss-in-wordpress-coming-soon-page-and-maintenance-mode-plugin/"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset/2123149/responsive-coming-soon"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset/2121321/responsive-coming-soon"}],"title":"CVE Program Container"},{"metrics":[{"other":{"content":{"id":"CVE-2019-25140","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-12-28T00:41:05.089109Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-12-28T00:55:49.022Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Coming Soon Page & Maintenance Mode","vendor":"wpshopmart","versions":[{"lessThan":"1.8.2","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Jerome Bruandet"}],"descriptions":[{"lang":"en","value":"The WordPress Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logo_width, logo_height, rcsp_logo_url, home_sec_link_txt, rcsp_headline and rcsp_description parameters in versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}],"metrics":[{"cvssV3_1":{"baseScore":7.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:00:57.105Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/738c6c77-97ef-4e47-9f14-9b73ea425bc2?source=cve"},{"url":"https://blog.nintechnet.com/unauthenticated-stored-xss-in-wordpress-coming-soon-page-and-maintenance-mode-plugin/"},{"url":"https://plugins.trac.wordpress.org/changeset/2123149/responsive-coming-soon"},{"url":"https://plugins.trac.wordpress.org/changeset/2121321/responsive-coming-soon"}],"timeline":[{"lang":"en","time":"2019-07-16T00:00:00.000Z","value":"Disclosed"}],"title":"Coming Soon Page & Maintenance Mode <= 1.8.1 - Stored Cross Site Scripting"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2019-25140","datePublished":"2023-06-07T01:51:26.427Z","dateReserved":"2023-06-06T12:50:22.138Z","dateUpdated":"2026-04-08T17:00:57.105Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2023-06-07 02:15:10","lastModifiedDate":"2026-04-08 18:17:03","problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wpshopmart:coming_soon_page_\\&_maintenance_mode:*:*:*:*:*:wordpress:*:*","versionEndIncluding":"1.8.1","matchCriteriaId":"46F5A8D7-F93A-415D-8128-DFBE7EF27ED4"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"25140","Ordinal":"1","Title":"Coming Soon Page & Maintenance Mode <= 1.8.1 - Stored Cross Site","CVE":"CVE-2019-25140","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"25140","Ordinal":"1","NoteData":"The WordPress Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logo_width, logo_height, rcsp_logo_url, home_sec_link_txt, rcsp_headline and rcsp_description parameters in versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","Type":"Description","Title":"Coming Soon Page & Maintenance Mode <= 1.8.1 - Stored Cross Site"}]}}}