CVE-2024-9706: Ultimate Coming Soon & Maintenance <= 1.0.9 - Missing Authorization to Unauthenticated Template Activation

5.3 CVSS

Description

The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ucsm_activate_lite_template_lite function in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to change the template used for the coming soon / maintenance page.

Classification

CVE ID: CVE-2024-9706

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

Affected Products

Vendor: rstheme2017

Product: Ultimate Coming Soon & Maintenance

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 19.3% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/a535eb7f-5ec7-4b3b-b46f-4f09434d04b6?source=cve
https://plugins.trac.wordpress.org/browser/ultimate-coming-soon/trunk/backend/tabs-content/templates/frontend-part/display-template.php#L105

Timeline

2024-12-07 00:31:29 UTC
CVE

Ultimate Coming Soon & Maintenance <= 1.0.9 - Missing Authorization to Unauthenticated Template Activation