vulnerability
WordPress Plugin: coming-soon-page: CVE-2022-0164: Incorrect Authorization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:N/I:P/A:N) | Jan 24, 2022 | May 15, 2025 | May 4, 2026 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Published
Jan 24, 2022
Added
May 15, 2025
Modified
May 4, 2026
Description
The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users.
Solution
coming-soon-page-plugin-cve-2022-0164
References
- https://www.cve.org/CVERecord?id=CVE-2022-0164
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e07649c0-b2eb-421b-95ae-a9530524470a?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-15372
- CVE-2022-0164
- https://attackerkb.com/topics/CVE-2022-0164
- CWE-352
- CWE-862
- EUVD-EUVD-2022-15372
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.