CVE-2020-36707: 
WordPress vulnerability analysis and mitigation

The Coming Soon & Maintenance Mode Page plugin for WordPress was found to be vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.57. The vulnerability was discovered and disclosed in September 2020, affecting the plugin's security mechanisms due to confusing logic functions that resulted in missing or incorrect nonce validation (NVD, WPScan).

The vulnerability stems from improper implementation of CSRF protection mechanisms where the plugin only checks the CSRF nonce if it has been provided, making it vulnerable to CSRF attacks if the nonce is removed. This security flaw is classified as CWE-352 (Cross-Site Request Forgery). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Acunetix).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing actions such as clicking on malicious links. This could potentially lead to unauthorized access and execution of administrative functions within the plugin's scope (NVD).

The vulnerability has been fixed in version 1.58 of the Coming Soon & Maintenance Mode Page plugin. Users are strongly recommended to update to this version or later to protect against CSRF attacks (WPScan).