The Minimal Coming Soon – Coming Soon Page plugin for WordPress suffers from a missing authorization vulnerability classified as CWE-862. Specifically, the plugin's AJAX handlers—validate_ajax, deactivate_ajax, and save_ajax—lack proper capability checks to verify if the requesting user has sufficient privileges before allowing modification of plugin data. This flaw permits any authenticated user with at least Subscriber-level access to alter the license key stored by the plugin. Since WordPress Subscriber roles are typically assigned to low-privilege users, this vulnerability significantly lowers the bar for exploitation. The absence of user interaction requirements and the network attack vector (AV:N) make this vulnerability easier to exploit remotely. The CVSS 3.1 base score is 6.3 (medium), reflecting the moderate impact on confidentiality, integrity, and availability. Modifying the license key could disable plugin features, potentially disrupting website functionality or causing denial of service for the affected plugin. No patches or known exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The issue affects all versions up to 2.38 inclusive.

This vulnerability allows low-privileged authenticated users to modify the license key of the Minimal Coming Soon plugin, which can lead to disabling critical plugin features. This can degrade website availability and functionality, especially for sites relying on this plugin for managing coming soon or maintenance pages. Unauthorized license key changes could also lead to loss of access to premium features or updates, increasing operational risk. Confidentiality and integrity impacts are moderate since the attacker can alter plugin data but not necessarily access broader site data or escalate privileges directly. However, the ease of exploitation by low-privilege users increases the risk profile. Organizations with multiple users or open registration on WordPress sites are particularly vulnerable. The disruption could affect marketing, user experience, and site launch timelines. While no known exploits exist currently, the public disclosure increases the likelihood of future exploitation attempts.

Administrators should immediately verify if they are running the Minimal Coming Soon – Coming Soon Page plugin version 2.38 or earlier and plan to update to a patched version once available. In the absence of an official patch, implement the following mitigations: 1) Restrict user roles to minimize Subscriber-level accounts or disable unnecessary user registrations. 2) Use WordPress security plugins or custom code to enforce capability checks on AJAX endpoints related to this plugin. 3) Monitor logs for suspicious AJAX requests targeting validate_ajax, deactivate_ajax, and save_ajax functions. 4) Temporarily disable or deactivate the plugin if it is not critical to site operations. 5) Employ web application firewalls (WAFs) to detect and block unauthorized AJAX requests. 6) Educate site administrators and users about the risk and encourage strong access control policies. 7) Regularly back up site data and plugin configurations to enable recovery if unauthorized changes occur.