平台
wordpress
组件
maintenance-mode-based-on-user-roles
修复版本
1.0.1
CVE-2025-12586 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Conditional Maintenance Mode plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings, specifically enabling or disabling the site's maintenance mode, potentially causing service disruptions. The vulnerability impacts versions 1.0.0 and earlier, with a fix available in version 2.0.0.
The primary impact of this CSRF vulnerability is the ability for an attacker to remotely control the site's maintenance mode status. By crafting a malicious request and tricking an administrator into clicking a link or visiting a compromised page, an attacker can unexpectedly put the site into maintenance mode, denying access to legitimate users. Conversely, they could disable maintenance mode when it's intended to be active, potentially exposing the site to vulnerabilities. The blast radius is limited to the affected WordPress site and its users; however, the disruption caused by unexpected maintenance mode changes can be significant.
This vulnerability was publicly disclosed on 2025-11-25. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The CVSS score of 4.3 (Medium) indicates a moderate risk, suggesting potential for exploitation if attackers can successfully craft and deliver malicious requests.
WordPress sites utilizing the Conditional Maintenance Mode plugin, particularly those with administrators who are susceptible to social engineering attacks or who frequently click on links from untrusted sources, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could lead to attacks targeting others.
• wordpress / composer / npm:
grep -r 'maintenance_mode_status' /var/www/html/wp-content/plugins/conditional-maintenance-mode/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'conditional-maintenance-mode'• wordpress / composer / npm:
wp plugin list --status=active | grep 'conditional-maintenance-mode'disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation is to immediately upgrade the Conditional Maintenance Mode plugin to version 2.0.0 or later, which addresses the missing nonce validation. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests targeting the maintenance mode toggling endpoint. Additionally, educate administrators to be cautious of suspicious links and avoid clicking on them without verifying their authenticity. After upgrading, confirm the fix by attempting to trigger the maintenance mode toggle via a crafted CSRF request – it should be rejected.
更新至 2.0.0 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-12586 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Conditional Maintenance Mode WordPress plugin, allowing attackers to toggle maintenance mode without authentication.
You are affected if you are using the Conditional Maintenance Mode plugin version 1.0.0 or earlier. Upgrade to 2.0.0 to mitigate the risk.
Upgrade the Conditional Maintenance Mode plugin to version 2.0.0 or later. Consider WAF rules as a temporary workaround if immediate upgrade isn't possible.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。