Mode de maintenance conditionnel pour WordPress <= 1.0.0 - Cross-Site Request Forgery
Plateforme
wordpress
Composant
maintenance-mode-based-on-user-roles
Corrigé dans
1.0.1
CVE-2025-12586 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Conditional Maintenance Mode plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings, specifically enabling or disabling the site's maintenance mode, potentially causing service disruptions. The vulnerability impacts versions 1.0.0 and earlier, with a fix available in version 2.0.0.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of this CSRF vulnerability is the ability for an attacker to remotely control the site's maintenance mode status. By crafting a malicious request and tricking an administrator into clicking a link or visiting a compromised page, an attacker can unexpectedly put the site into maintenance mode, denying access to legitimate users. Conversely, they could disable maintenance mode when it's intended to be active, potentially exposing the site to vulnerabilities. The blast radius is limited to the affected WordPress site and its users; however, the disruption caused by unexpected maintenance mode changes can be significant.
Contexte d'Exploitationtraduction en cours…
This vulnerability was publicly disclosed on 2025-11-25. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The CVSS score of 4.3 (Medium) indicates a moderate risk, suggesting potential for exploitation if attackers can successfully craft and deliver malicious requests.
Qui Est à Risquetraduction en cours…
WordPress sites utilizing the Conditional Maintenance Mode plugin, particularly those with administrators who are susceptible to social engineering attacks or who frequently click on links from untrusted sources, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could lead to attacks targeting others.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r 'maintenance_mode_status' /var/www/html/wp-content/plugins/conditional-maintenance-mode/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'conditional-maintenance-mode'• wordpress / composer / npm:
wp plugin list --status=active | grep 'conditional-maintenance-mode'Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Aucun — aucun impact sur l'intégrité.
- Availability
- Faible — déni de service partiel ou intermittent.
Logiciel Affecté
Informations sur le paquet
- Installations actives
- 0
- Note du plugin
- 0.0
- Nécessite WordPress
- 4.0+
- Compatible jusqu'à
- 6.7.5
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The recommended mitigation is to immediately upgrade the Conditional Maintenance Mode plugin to version 2.0.0 or later, which addresses the missing nonce validation. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the maintenance mode toggling endpoint. Additionally, educate administrators to be cautious of suspicious links and avoid clicking on them without verifying their authenticity. After upgrading, confirm the fix by attempting to trigger the maintenance mode toggle via a crafted CSRF request – it should be rejected.
Comment corriger
Mettre à jour vers la version 2.0.0, ou une version corrigée plus récente
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-12586 — XSRF in Conditional Maintenance Mode for WordPress?
CVE-2025-12586 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Conditional Maintenance Mode WordPress plugin, allowing attackers to toggle maintenance mode without authentication.
Am I affected by CVE-2025-12586 in Conditional Maintenance Mode for WordPress?
You are affected if you are using the Conditional Maintenance Mode plugin version 1.0.0 or earlier. Upgrade to 2.0.0 to mitigate the risk.
How do I fix CVE-2025-12586 in Conditional Maintenance Mode for WordPress?
Upgrade the Conditional Maintenance Mode plugin to version 2.0.0 or later. Consider WAF rules as a temporary workaround if immediate upgrade isn't possible.
Is CVE-2025-12586 being actively exploited?
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Where can I find the official Conditional Maintenance Mode advisory for CVE-2025-12586?
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.