CVE-2025-10636

The NS Maintenance Mode for WP WordPress plugin through version 1.3.1 fails to sanitize and escape some of its settings. This lack of proper input handling allows high-privilege users, such as administrators, to inject arbitrary web scripts into plugin settings pages. Because the vulnerability is stored, the malicious script persists and is executed when other administrators view the affected pages [1].

Exploitation requires administrator-level access to the WordPress dashboard. The vulnerability is especially concerning in multisite installations, where the unfiltered_html capability is typically disallowed for all users, including super admins. This means the plugin's oversight enables a stored cross-site scripting (XSS) attack even when WordPress core would otherwise prevent such injections [1].

An attacker with admin privileges could inject JavaScript that executes in the context of other administrators' sessions. This could lead to session hijacking, unauthorized actions on behalf of other admins, or the injection of malicious content into the site. The impact is limited to users with administrative roles, but in a multisite environment, it could affect site-level administrators [1].

As of the advisory publication, the vulnerability is unpatched and no fix is available. The plugin remains at version 1.3.1, and users are advised to restrict administrative access or consider alternative maintenance mode plugins. The vulnerability has been publicly disclosed and added to WPScan's vulnerability database [1].