CVE-2020-36730: 
WordPress vulnerability analysis and mitigation

The CMP (Coming Soon & Maintenance) WordPress plugin was found to contain an authorization bypass vulnerability (CVE-2020-36730) affecting versions up to and including 3.8.1. The vulnerability was publicly disclosed on June 6, 2023, and impacts the plugin's core functionality related to post access, subscriber data, and plugin management (NVD).

The vulnerability stems from missing capability checks in three critical functions: cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax(). This security flaw has received a CVSS v3.1 base score of 9.3 (CRITICAL) from NIST and 8.3 (HIGH) from Wordfence, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD, WPScan).

The vulnerability allows unauthenticated attackers to perform unauthorized actions including reading arbitrary posts, exporting subscriber lists, and deactivating the plugin. This represents a significant breach of access controls and could lead to unauthorized access to sensitive information and disruption of site functionality (Acunetix).

The vulnerability has been patched in version 3.8.2 of the CMP plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).