Vulnerabilities and security researches forcmp-coming-soon-maintenance cmp-coming-soon-maintenance
Direction: descendingApr 19, 2026
CMP – Coming Soon & Maintenance Plugin by NiteoThemes # CVE-2026-6518
- CVE, Research URL
- Date
- Apr 18, 2026
- Research Description
- The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability.
- Affected versions
-
max 4.1.17.
- Status
-
vulnerable
Apr 06, 2025
CMP – Coming Soon & Maintenance Plugin by NiteoThemes # CVE-2025-32118
- CVE, Research URL
- Date
- Apr 04, 2025
- Research Description
- Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance allows Using Malicious Files. This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.13.
- Affected versions
-
max 4.1.15.
- Status
-
vulnerable
Jun 07, 2024
CMP – Coming Soon & Maintenance Plugin by NiteoThemes # CVE-2023-1263
- CVE, Research URL
- Date
- Mar 08, 2023
- Research Description
- The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 4.1.6 via the cmp_get_post_detail function. This can allow unauthenticated individuals to obtain the contents of any non-password-protected, published post or page even when maintenance mode is enabled.
- Affected versions
-
max 4.1.7.
- Status
-
vulnerable
CMP – Coming Soon & Maintenance Plugin by NiteoThemes # CVE-2023-2159
- CVE, Research URL
- Date
- Jun 09, 2023
- Research Description
- The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Maintenance Mode Bypass in versions up to, and including, 4.1.7. A correct cmp_bypass GET parameter in the URL (equal to the md5-hashed home_url in the default setting) allows users to visit a site placed in maintenance mode thus bypassing the plugin's provided feature.
- Affected versions
-
max 4.1.8.
- Status
-
vulnerable
CMP – Coming Soon & Maintenance Plugin by NiteoThemes # CVE-2022-0188
- CVE, Research URL
- Date
- Feb 14, 2022
- Research Description
- The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout.
- Affected versions
-
max 3.8.2.
- Status
-
vulnerable
CMP – Coming Soon & Maintenance Plugin by NiteoThemes # CVE-2020-36730
- CVE, Research URL
- Date
- Jun 07, 2023
- Research Description
- The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export subscriber lists, and/or deactivate the plugin.
- Affected versions
-
max 3.8.2.
- Status
-
vulnerable
CMP – Coming Soon & Maintenance Plugin by NiteoThemes # CVE-2023-50374
- CVE, Research URL
- Date
- Mar 28, 2024
- Research Description
- Server-Side Request Forgery (SSRF) vulnerability in NiteoThemes CMP – Coming Soon & Maintenance.This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.10.
- Affected versions
-
max 4.1.11.
- Status
-
vulnerable