Plugin Exploit

CSRF & XSS Vulnerabilities WP Maintenance Plugin in Versions<= 5.0.5

Updated on: March 29, 2020

CSRF & XSS Vulnerabilities WP Maintenance Plugin in Versions<= 5.0.5

WP maintenance plugin has been found to be vulnerable to CSRF and stored XSS. On November 15th, WordFence reported the vulnerability to WP maintenance plugin’s developers. Following which the plugin developers (Florent Malliefaud) urgently patched the vulnerability in just a day.

Version 5.0.6 is free of vulnerabilities. We recommend you update your plugin from any previous version to this.

About WP maintenance Plugin

As its name suggests, the WP maintenance plugin enables you to put your website on maintenance mode. It also enables you to customize your website maintenance page extensively.

This is how the WP maintenance plugin looks in the WordPress repository.

As you can see, there are as many as 30, 000+ active installations of this plugin. Its features include custom texts, logo, picture, CSS, etc on the maintenance page. You could even insert a countdown timer on your site maintenance page.

Vulnerability Details

According to WordFence, this vulnerability allows attackers to put your website in maintenance mode and inject malicious codes in your websites. Primarily the customization features are at a flaw in the plugin. The customization settings do not check nonce key of users before updating the settings. This could lead to a serious CSRF attack.

Also, there is a lack of proper code sanitation in the settings input field, which allows hackers to inject dangerous codes in your website.

More technicalities are in the next section.

Technical Details

WP maintenance facilitates a large number of customization features. It turns out excessive customization features needed better surveillance. WP maintenance lacked in this with limited nonce protection and Input/Output Sanitation on values. These overlooked areas resulted in Cross-Site Request Forgery (CSRF). The CSRF then led to Cross-Site Scripting (XSS) vulnerability in WP Maintenance.

Look at this code:

/* Update des paramètres */
if( isset($_POST['action']) && $_POST['action'] == 'update_general' ) {

if( isset($_POST["wp_maintenance_social_options"]['reset']) && $_POST["wp_maintenance_social_options"]['reset'] ==1 ) {
$_POST["wp_maintenance_social"] = '';
update_option('wp_maintenance_social', $_POST["wp_maintenance_social"]);
update_option('wp_maintenance_social_options', $_POST["wp_maintenance_social_options"]);
update_option('wp_maintenance_active', $_POST["wp_maintenance_active"]);

$options_saved = wpm_update_settings($_POST["wp_maintenance_settings"]);

$messageUpdate = 1;

Here the update_general AJAX function does not verify the nonce token, leaving it vulnerable to CSRF. Also, the update_option() & wpm_update_settings() functions do not have input sanitization. This could allow an unauthorized user/attacker to inject malicious scripts as a stored XSS, which when called could cause redirection, crypto mining, data stealing, etc on your site.

By and large, all settings in the plugin were vulnerable to CSRF & XSS.

WP maintenance vulnerability
Credit: WordFence

The General Settings window in WP maintenance has two input fields. The title and the text field.

Due to flawed Validation and Sanitization, malicious codes skip parsing and gets stored as a stored XSS vulnerability. See the following example on the “Enable Newsletter” field of WP maintenance:

WP Maintenance Vulnerability
Credit: WordFence

The codes pass sanitization and it gets executed.

Update to Mitigate Risk

Simply update the plugin to the latest version (5.0.6) to mitigate risks.

Also, improper security maintenance remains a serious issue in lots of WordPress plugins. The best way you can ensure the security of your website is becoming choosy. Where WP maintenance was quick in patching the vulnerabilities, not many plugins do that.

Download only the plugins that have an active support and development team. This you can know by checking plugin reviews or looking for them in forums.

Astra Security at Help

Having a secure plugin does help, but do you know what helps even better than relying on plugin’s security? Having your dedicated security system of your own.

Astra security is a complete security suite for your WordPress website. You can sit back and chill when Astra is taking care of your website’s security. It offers numerous features such as a web application firewall, malware scanner, malware cleanups, security audits and more for your website. You can check our reviews here.

Take the Astra demo and know for yourself.

Shoot your security questions in the comment box below, we’ll make sure to answer 🙂

Or you can also get in touch with security experts on the chat here.

Was this post helpful?

Naman Rastogi

Naman Rastogi is a Growth hacker and digital marketer at Astra security. Working actively in cybersecurity for more than a year, Naman shares the passion for spreading awareness about cybersecurity amongst netizens. He is a regular reader of anything cybersecurity which he channelizes through the Astra blog. Naman is also a jack of all trade. He is certified in market analytics, content strategy, financial markets and more while working parallelly towards his passion i.e cybersecurity. When not hustling to find newer ways to spread awareness about cybersecurity, he can be found enjoying a game of ping pong or CSGO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany