CVE-2024-1136 is a vulnerability classified under CWE-862 (Missing Authorization) found in the 'Coming Soon Page & Maintenance Mode' WordPress plugin developed by wpshopmart. The issue exists in the wpsm_coming_soon_redirect function, which improperly implements URL checks to restrict access when the plugin is enabled. This flaw allows unauthenticated attackers to bypass the intended access restrictions of maintenance or coming soon modes, thereby viewing the website's content that should otherwise be hidden during these modes. The vulnerability affects all versions up to and including 2.2.1. The attack vector is network-based with no privileges or user interaction required, making it relatively easy to exploit. The CVSS v3.1 base score is 5.3, reflecting a medium severity primarily due to the confidentiality impact. The vulnerability does not affect the integrity or availability of the site. No patches or exploit code are currently publicly available, but the risk remains for sites that rely on this plugin to conceal content during maintenance periods. This vulnerability can lead to unintended information disclosure, potentially exposing sensitive or proprietary content to unauthorized viewers.

The primary impact of CVE-2024-1136 is unauthorized disclosure of website content that is intended to be hidden during maintenance or coming soon phases. This can lead to leakage of sensitive information such as unreleased product details, internal communications, or other proprietary content. While the vulnerability does not allow modification or disruption of the website, the confidentiality breach can damage organizational reputation, reveal business strategies, or provide attackers with reconnaissance information for further attacks. Organizations using this plugin on public-facing WordPress sites are at risk, especially those that rely on the plugin to conceal content during critical updates or launches. The ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic scanning and unauthorized access attempts.

Organizations should immediately verify if they are using the 'Coming Soon Page & Maintenance Mode' plugin by wpshopmart, especially versions up to 2.2.1. Since no official patch links are currently available, administrators should consider the following mitigations: 1) Temporarily disable the plugin until a vendor patch is released. 2) Restrict access to the site during maintenance using alternative methods such as IP whitelisting or HTTP authentication at the web server or firewall level. 3) Monitor web server logs for unusual access patterns targeting maintenance or coming soon pages. 4) Implement web application firewalls (WAFs) with custom rules to block unauthorized access attempts to URLs related to the plugin. 5) Stay updated with vendor announcements for patches and apply them promptly once available. 6) Conduct regular security audits of WordPress plugins to identify and remediate similar authorization issues.