Medium severity5.3NVD Advisory· Published Mar 20, 2024· Updated Apr 15, 2026

CVE-2024-1181

Description

The Coming Soon, Under Construction & Maintenance Mode By Dazzler plugin for WordPress is vulnerable to maintenance mode bypass in all versions up to, and including, 2.1.2. This is due to the plugin relying on the REQUEST_URI to determine if the page being accesses is an admin area. This makes it possible for unauthenticated attackers to bypass maintenance mode and access the site which may be considered confidential when in maintenance mode.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

WordPress/Coming Soon Wpinferred
Range: <=2.1.2
Package: https://wordpress.org/plugins/coming-soon-wp

Patches

Vulnerability mechanics

Root cause

"The plugin uses `$_SERVER['REQUEST_URI']` to determine if the page is an admin area, which can be spoofed by an attacker to bypass maintenance mode."

Attack vector

An unauthenticated attacker sends a request to the site with a URI that contains `/wp-admin/` (e.g., `https://example.com/wp-admin/../`). The plugin's `dazz_cs_launch` function checks `$_SERVER['REQUEST_URI']` for the presence of `/wp-admin/` and, if found, assumes the user is in the admin area and does not apply the maintenance-mode redirect [ref_id=1]. This allows the attacker to view the site's front-end content that should be hidden during maintenance mode [CWE-862].

Affected code

The plugin's maintenance-mode bypass is in the `dazz_cs_launch` function in `coming-soon-wp/trunk/coming-soon-wp.php` (line 45). The function uses `$_SERVER['REQUEST_URI']` to decide whether the current page is an admin area, but an attacker can craft a URI that includes `/wp-admin/` while still accessing the front-end, causing the plugin to skip the maintenance-mode redirect.

What the fix does

The advisory does not provide a patch diff. To fix the vulnerability, the plugin should replace the `REQUEST_URI` check with a proper WordPress capability check (e.g., `current_user_can('administrator')`) so that only authenticated administrators can bypass maintenance mode. Relying on the URI alone is insufficient because an attacker can manipulate the request path to include `/wp-admin/` without actually being in the admin area.

Preconditions

configThe site must have the plugin active and maintenance mode enabled (dazz_cs_status != '0').
authNo authentication required; the attacker can be unauthenticated.
networkAttacker must be able to send HTTP requests to the WordPress site.
inputThe request URI must contain '/wp-admin/' to trick the REQUEST_URI check.

Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000