Vulnerability Details : CVE-2020-36730
The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export subscriber lists, and/or deactivate the plugin.
Products affected by CVE-2020-36730
- cpe:2.3:a:niteothemes:cmp:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-36730
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-36730
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H |
3.9
|
4.7
|
NIST | |
8.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
3.9
|
3.7
|
Wordfence |
CWE ids for CVE-2020-36730
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by:
- nvd@nist.gov (Primary)
- security@wordfence.com (Secondary)
References for CVE-2020-36730
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/f1ef067b-e4b4-4174-b6ff-ec94a7afd55d?source=cve
CMP <= 3.8.1 - Missing AuthorizationThird Party Advisory
-
https://blog.nintechnet.com/multiple-vulnerabilities-fixed-in-cmp-coming-soon-and-maintenance-plugin/
Multiple vulnerabilities fixed in CMP – Coming Soon and Maintenance plugin. – NinTechNetExploit
-
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-cmp-coming-soon-maintenance-by-niteothemes-security-bypass-3-8-1/
WordPress Plugin CMP-Coming Soon & Maintenance by NiteoThemes Security Bypass (3.8.1) - Vulnerabilities - AcunetixThird Party Advisory
-
https://wpscan.com/vulnerability/10341
Just a moment...Third Party Advisory
Jump to