CVE-2024-1476 - Sensitive Information Exposure in Under Construction / Maintenance Mode from Acurax Plugin for WordPress

A serious security vulnerability has been uncovered in the popular WordPress plugin, Under Construction / Maintenance Mode from Acurax, affecting all versions up to, and including, version 2.6. Identified as CVE-2024-1476, this exploit allows unauthenticated attackers to bypass the intended protection provided by the plugin and access sensitive information via the REST API. In this post, we will provide an in-depth analysis of the vulnerability and the necessary steps to mitigate this issue.

Vulnerability Details

The main function of the Under Construction / Maintenance Mode from Acurax plugin is to enable WordPress site administrators to display a static "Under Construction" or "Maintenance" page for users when the site is undergoing changes or updates. However, due to a misconfiguration in the plugin's implementation, an unauthenticated attacker can easily bypass this static page and obtain the contents of posts and pages when maintenance mode is active.

This issue has been identified as a Sensitive Information Exposure vulnerability and designated with the CVE identifier CVE-2024-1476. The vulnerability can be exploited by sending a crafted request to the WordPress REST API, which will return the restricted posts and pages, regardless of whether the site is in maintenance mode or not.

Below is a simple proof-of-concept code snippet demonstrating how to exploit the vulnerability

import requests

target_url = "https://example.com";  # Replace with the target WordPress site
rest_api_endpoint = "/wp-json/wp/v2/posts"

response = requests.get(target_url + rest_api_endpoint)

if response.status_code == 200:
    print(f"Obtained Posts: {response.json()}")
else:
    print("Failed to obtain sensitive information.")

Original References

The CVE entry for this vulnerability can be found on the official MITRE page here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1476

Additionally, the vulnerability has been responsibly disclosed to the plugin developers, Acurax, and acknowledged by them. The developers have released an updated version of the plugin (version 2.7) that addresses this issue. The plugin's changelog is available here: https://wordpress.org/plugins/coming-soon-maintenance-mode-from-acurax/#developers

To protect your WordPress site from this vulnerability, follow these steps

1. Update the Under Construction / Maintenance Mode from Acurax plugin to the latest version (2.7 or higher) from the WordPress plugin repository: https://wordpress.org/plugins/coming-soon-maintenance-mode-from-acurax/
2. Alternatively, if you are unable to update the plugin for any reason, consider disabling the REST API on your WordPress site or restricting access to it with the help of an additional security plugin.

Conclusion

Sensitive Information Exposure vulnerabilities like CVE-2024-1476 pose a significant risk to WordPress websites, as they allow unauthorized access to critical site content. In the case of the Under Construction / Maintenance Mode from Acurax plugin, this vulnerability has been addressed in the latest version (2.7) of the plugin. To protect your site from potential attacks, it is crucial to keep your plugins, themes, and WordPress core up-to-date and follow security best practices.

Timeline

Published on: 02/28/2024 09:15:42 UTC
Last modified on: 02/28/2024 14:06:45 UTC