Headline
CVE-2020-36752: Changeset 2368978 for nifty-coming-soon-and-under-construction-page – WordPress Plugin Repository
The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.57. This is due to missing or incorrect nonce validation on the save_meta_box() function. This makes it possible for unauthenticated attackers to save meta boxes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Timestamp:
08/25/2020 08:29:57 PM (3 years ago)
WebFactory
Message:
Security fixes.
Location:
nifty-coming-soon-and-under-construction-page/trunk
Files:
- admin/includes/class-ot-meta-box.php (1 diff)
- admin/includes/ot-meta-box-api.php (1 diff)
- nifty-coming-soon.php (2 diffs)
- readme.txt (3 diffs)
Legend:
Unmodified
Added
Removed
nifty-coming-soon-and-under-construction-page/trunk/admin/includes/class-ot-meta-box.php
r2090861
r2368978
208
208
209
209
// Verify nonce.
210
if ( isset( $\_POST\[ $this->meta\_box\['id'\] . '\_nonce' \] ) && ! wp\_verify\_nonce( $\_POST\[ $this->meta\_box\['id'\] . '\_nonce' \], $this->meta\_box\['id'\] ) ) { // phpcs:ignore
210
if (empty($\_POST\[ $this->meta\_box\['id'\] . '\_nonce'\]) || !wp\_verify\_nonce($\_POST\[ $this->meta\_box\['id'\] . '\_nonce'\], $this->meta\_box\['id'\])) {
211
211
return $post\_id;
212
212
}
nifty-coming-soon-and-under-construction-page/trunk/admin/includes/ot-meta-box-api.php
r1457192
r2368978
202
202
203
203
/\* verify nonce \*/
204
if ( isset( $\_POST\[ $this->meta\_box\['id'\] . '\_nonce'\] ) && ! wp\_verify\_nonce( $\_POST\[ $this->meta\_box\['id'\] . '\_nonce'\], $this->meta\_box\['id'\] ) )
205
return $post\_id;
204
if (empty($\_POST\[$this->meta\_box\['id'\] . '\_nonce'\]) || !wp\_verify\_nonce($\_POST\[$this->meta\_box\['id'\] . '\_nonce'\], $this->meta\_box\['id'\])) {
205
return $post\_id;
206
}
207
206
208
207
209
/\* check permissions \*/
nifty-coming-soon-and-under-construction-page/trunk/nifty-coming-soon.php
r2329039
r2368978
4
4
Plugin URI: https://wordpress.org/plugins/nifty-coming-soon-and-under-construction-page/
5
5
Description: Easy to set up Coming Soon, Maintenance and Under Construction page. It features Responsive design, Countdown timer, Animations, Live Preview, Background Slider, Subscription form and more.
6
Version: 1.57
6
Version: 1.58
7
7
Author: WebFactory Ltd
8
8
Author URI: https://webfactoryltd.com/
…
…
34
34
}
35
35
}
36
37
38
39
36
40
37
nifty-coming-soon-and-under-construction-page/trunk/readme.txt
r2329039
r2368978
2
2
Contributors: WebFactory, wpreset, underconstructionpage, googlemapswidget
3
3
Tags: coming soon, coming soon page, launch page, maintenance mode, maintenance page, coming soon mode, under construction, maintenance mode page, landing page, offline page, subscribe form, maintenance
4
Tested up to: 5.4
4
Tested up to: 5.5
5
5
License: GPLv3
6
6
License URI: http://www.gnu.org/licenses/gpl-2.0.html
7
Stable tag: 1.57
7
Stable tag: 1.58
8
8
Requires PHP: 5.2
9
9
…
…
43
43
\### NEED MORE THEMES?
44
44
45
Check out <a href="https://comingsoonwp.com/?utm\_source=wordpressorg&utm\_medium=content&utm\_campaign=readme-nifty&utm\_content=theme-demos">theme demos</a> plugin ! We have over 100!
45
Check out <a href="https://comingsoonwp.com/?utm\_source=wordpressorg">theme demos</a> plugin ! We have over 170!
46
46
47
47
…
…
85
85
86
86
\== Changelog ==
87
88
\= 1.58 =
89
\* 2020/08/25
90
\* security fixes
87
91
88
92
\= 1.57 =
Note: See TracChangeset for help on using the changeset viewer.