CVE-2024-1075: 
WordPress vulnerability analysis and mitigation

The Minimal Coming Soon – Coming Soon Page plugin for WordPress contains a maintenance mode bypass and information disclosure vulnerability (CVE-2024-1075) affecting all versions up to and including 2.37. The vulnerability stems from improper validation of request paths, enabling unauthenticated attackers to bypass maintenance mode and access pages that should be restricted (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) by NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, while Wordfence assessed it with a score of 3.7 (LOW) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The core issue lies in the plugin's improper validation of request paths, which allows unauthorized access to protected content (NVD).

When exploited, this vulnerability allows unauthenticated attackers to bypass the maintenance mode functionality and view pages that should be hidden from public access. This could potentially expose sensitive information or work-in-progress content that was intended to remain private during maintenance periods (NVD).

Users should update to a version newer than 2.37 of the Minimal Coming Soon – Coming Soon Page plugin to address this vulnerability. A patch has been made available through the WordPress plugin repository (NVD).