[oss-security] WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality

Tue, 20 Jan 2026 07:34:00 -0800 

Hello OSS-Security Team,

I would like to responsibly disclose a security vulnerability identified in
the WordPress plugin *Under Construction & Maintenance Mode*.
------------------------------
Summary

A security issue was discovered in the *Under Construction & Maintenance
Mode* WordPress plugin related to an exposed debug functionality.
The vulnerability allows unauthorized modification of WordPress options,
which may lead to *Stored Cross-Site Scripting (XSS)* in the WordPress
admin dashboard.
------------------------------
Affected Component

   - *Plugin:* Under Construction & Maintenance Mode
   - *Vendor:* WPBrigade / Loginizer
   - *Affected File:*
   lib/wpb-sdk/views/wpb-debug.php

------------------------------
Vulnerability Details

The affected debug endpoint processes POST requests without proper security
controls:

   - Missing authorization checks (current_user_can)
   - Missing nonce validation
   - Direct use of user-controlled input in update_option()

This allows attackers to arbitrarily modify WordPress options.
------------------------------
Vulnerability Type

   - Missing Authorization
   - Missing Nonce Validation
   - Arbitrary Option Update
   - Stored XSS (Admin Context)

------------------------------
Impact

An attacker may:

   - Modify arbitrary WordPress options
   - Inject persistent JavaScript payloads
   - Trigger Stored XSS in the admin dashboard
   - Manipulate site configuration or administrator sessions

------------------------------
Proof of Concept (Code Snippet)

if ($_SERVER['REQUEST_METHOD'] === 'POST'
    && isset($_POST['set_option_name'])
    && isset($_POST['option_value'])) {

    update_option($_POST['set_option_name'], $_POST['option_value']);
}

------------------------------
Affected Versions

   - Versions prior to vendor fix
   (Exact version pending confirmation)

------------------------------
Disclosure Timeline

   - Vulnerability discovered through manual security testing
   - Advisory published through community channels
   - No active exploitation observed at the time of disclosure

------------------------------

Please let me know if any additional information is required.

Kind regards,
*Mohammed Abdallah*

Reply via email to