Plattform
wordpress
Komponente
under-construction-maintenance-mode
Behoben in
2.1.2
2.1.2
CVE-2026-34896 describes a Cross-Site Request Forgery (SSRF) vulnerability found in the Under Construction, Coming Soon & Maintenance Mode plugin for WordPress. Successful exploitation could allow an unauthenticated attacker to perform unauthorized actions on a website if they can manipulate a site administrator into clicking a malicious link. This vulnerability impacts versions of the plugin up to and including 2.1.1, but a patch is available in version 2.1.2.
A successful CSRF attack could allow an attacker to modify site settings, create or delete pages, or perform other administrative actions without proper authentication. The impact is particularly severe for sites where administrative privileges are highly valued or where sensitive data is managed through the WordPress dashboard. This vulnerability is similar to other CSRF flaws where user interaction is required, but the potential for unauthorized actions remains significant. The attacker needs to craft a malicious link and convince an administrator to click it, which could be achieved through phishing or social engineering techniques.
CVE-2026-34896 was publicly disclosed on 2026-04-07. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. The medium CVSS score indicates a moderate level of exploitability and potential impact.
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34896 is to immediately upgrade the Under Construction, Coming Soon & Maintenance Mode plugin to version 2.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing stricter input validation and output encoding on all administrative functions within the plugin. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of protection. Review WordPress user permissions and enforce the principle of least privilege to limit the potential damage from a successful attack.
Aktualisieren Sie auf Version 2.1.2 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CSRF (Cross-Site Request Forgery) is a type of attack that forces an authenticated user to perform unwanted actions on a web application. The attacker leverages the user’s active session to execute commands.
If you are using a version of the 'Under Construction, Coming Soon & Maintenance Mode' plugin older than 2.1.2, your site is vulnerable. Verify the plugin version in your WordPress admin dashboard.
Immediately change the passwords of all users with administrator privileges. Perform a thorough scan of the site for modified files or suspicious activity. Restore the site from a clean backup if possible.
There are web security scanning tools that can detect CSRF vulnerabilities, although effectiveness may vary. Consider using a WordPress security plugin that includes vulnerability scanning capabilities.
No, a KEV is not currently available for this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.