CVE-2019-25140: 
WordPress vulnerability analysis and mitigation

The WordPress Coming Soon Page & Maintenance Mode plugin was found to contain a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.8.1. The vulnerability was discovered on July 5, 2019, and publicly disclosed on July 17, 2019. This plugin, which had over 7,000 active installations at the time, allowed unauthenticated attackers to inject malicious web scripts through multiple parameters (NinTechNet Blog).

The vulnerability exists due to insufficient input sanitization and output escaping in multiple parameters including logo_width, logo_height, rcsp_logo_url, home_sec_link_txt, rcsp_headline, and rcsp_description. The issue stems from the plugin's main script loading 'data-save-post.php' without proper security checks, allowing unauthenticated users to inject arbitrary web scripts. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) by NIST and 7.2 (HIGH) by Wordfence, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to inject arbitrary JavaScript or HTML code into the blog's front-end that executes whenever a user accesses an injected page. This could lead to potential client-side attacks against site visitors and administrators (NinTechNet Blog).

Users are advised to update to version 1.8.2 or later which includes security patches for this vulnerability. The fix was implemented through changes in the plugin's codebase, adding proper input sanitization and output escaping (WordPress Plugin). Users of NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium) were automatically protected against this vulnerability (NinTechNet Blog).