{"api_version":"1","generated_at":"2026-04-24T22:09:43+00:00","cve":"CVE-2020-36707","urls":{"html":"https://cve.report/CVE-2020-36707","api":"https://cve.report/api/cve/CVE-2020-36707.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-36707","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-36707"},"summary":{"title":"Coming Soon & Maintenance Mode Page <= 1.57 - Cross-Site Request Forgery","description":"The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.57. This is due to confusing logic functions missing or having incorrect nonce validation. This makes it possible for unauthenticated attackers to gain and perform otherwise unauthorized access and actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2023-06-07 02:15:11","updated_at":"2026-04-08 18:17:08"},"problem_types":["CWE-352","CWE-352 CWE-352 Cross-Site Request Forgery (CSRF)"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/59278214-b0ce-44bf-8d8f-265c5c50006a?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/59278214-b0ce-44bf-8d8f-265c5c50006a?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Coming Soon & Maintenance Mode Page <= 1.57 - Cross-Site Request Forgery","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://wpscan.com/vulnerability/aa47a464-af97-43bc-b6cb-75a08ce3ece7","name":"https://wpscan.com/vulnerability/aa47a464-af97-43bc-b6cb-75a08ce3ece7","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Multiple Plugins/Themes - Cross-Site Request Forgery (CSRF) WordPress Security Vulnerability","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"https://jetpack.com/features/security/library/nifty-coming-soon-and-under-construction-page-plugin/","name":"https://jetpack.com/features/security/library/nifty-coming-soon-and-under-construction-page-plugin/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"Is Coming Soon & Maintenance Mode Page Safe?","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-coming-soon-maintenance-mode-page-cross-site-request-forgery-1-57/","name":"https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-coming-soon-maintenance-mode-page-cross-site-request-forgery-1-57/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"WordPress Plugin Coming Soon & Maintenance Mode Page Cross-Site Request Forgery (1.57) - Vulnerabilities - Acunetix","mime":"text/x-c++","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-36707","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36707","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"hookandhook","product":"Coming Soon & Maintenance Mode Page & Under Construction","version":"affected 1.57 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2020-09-16T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Jerome Bruandet","lang":"en"}],"nvd_cpes":[{"cve_year":"2020","cve_id":"36707","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wpconcern","cpe5":"nifty_coming_soon_\\&_maintenance_mode_page","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-04T17:37:06.503Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/59278214-b0ce-44bf-8d8f-265c5c50006a?source=cve"},{"tags":["x_transferred"],"url":"https://jetpack.com/features/security/library/nifty-coming-soon-and-under-construction-page-plugin/"},{"tags":["x_transferred"],"url":"https://wpscan.com/vulnerability/aa47a464-af97-43bc-b6cb-75a08ce3ece7"},{"tags":["x_transferred"],"url":"https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-coming-soon-maintenance-mode-page-cross-site-request-forgery-1-57/"}],"title":"CVE Program Container"},{"metrics":[{"other":{"content":{"id":"CVE-2020-36707","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2024-12-23T16:01:21.452734Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-12-23T16:22:07.854Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Coming Soon & Maintenance Mode Page & Under Construction","vendor":"hookandhook","versions":[{"lessThanOrEqual":"1.57","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Jerome Bruandet"}],"descriptions":[{"lang":"en","value":"The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.57. This is due to confusing logic functions missing or having incorrect nonce validation. This makes it possible for unauthenticated attackers to gain and perform otherwise unauthorized access and actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}],"metrics":[{"cvssV3_1":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-352","description":"CWE-352 Cross-Site Request Forgery (CSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T16:54:42.644Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/59278214-b0ce-44bf-8d8f-265c5c50006a?source=cve"},{"url":"https://jetpack.com/features/security/library/nifty-coming-soon-and-under-construction-page-plugin/"},{"url":"https://wpscan.com/vulnerability/aa47a464-af97-43bc-b6cb-75a08ce3ece7"},{"url":"https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-coming-soon-maintenance-mode-page-cross-site-request-forgery-1-57/"}],"timeline":[{"lang":"en","time":"2020-09-16T00:00:00.000Z","value":"Disclosed"}],"title":"Coming Soon & Maintenance Mode Page <= 1.57 - Cross-Site Request Forgery"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2020-36707","datePublished":"2023-06-07T01:51:21.596Z","dateReserved":"2023-06-06T12:44:47.356Z","dateUpdated":"2026-04-08T16:54:42.644Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2023-06-07 02:15:11","lastModifiedDate":"2026-04-08 18:17:08","problem_types":["CWE-352","CWE-352 CWE-352 Cross-Site Request Forgery (CSRF)"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wpconcern:nifty_coming_soon_\\&_maintenance_mode_page:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"1.58","matchCriteriaId":"56987E67-BE82-4FC1-A1C4-F81D6E02F7B6"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"36707","Ordinal":"1","Title":"Coming Soon & Maintenance Mode Page <= 1.57 - Cross-Site Request","CVE":"CVE-2020-36707","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"36707","Ordinal":"1","NoteData":"The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.57. This is due to confusing logic functions missing or having incorrect nonce validation. This makes it possible for unauthenticated attackers to gain and perform otherwise unauthorized access and actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","Type":"Description","Title":"Coming Soon & Maintenance Mode Page <= 1.57 - Cross-Site Request"}]}}}