Executive Summary

CVE-2025-10638 is a vulnerability in the NS Maintenance Mode for WP WordPress plugin (up to version 1.3.1) where the subscriber export function lacks proper authorization checks. This flaw allows unauthenticated attackers to send a specially crafted request to the plugin's endpoint and download a CSV file containing all site subscribers' sensitive information, including their names and email addresses. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of subscriber data, exposing names and email addresses to attackers without any authentication. This can result in privacy breaches, spam, phishing attacks targeting subscribers, and damage to the site's reputation. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the WordPress site is running the NS Maintenance Mode for WP plugin version 1.3.1 or earlier and by testing the subscriber export functionality for unauthorized access. Specifically, you can send an unauthenticated POST request to the endpoint `wp-admin/admin-ajax.php` with the parameter `action=ns_mm_create_csv_subscriber`. If the request returns a CSV file containing subscriber data (names and email addresses) without authentication, the vulnerability is present. Example command using curl: `curl -X POST https://yourwordpresssite.com/wp-admin/admin-ajax.php -d "action=ns_mm_create_csv_subscriber"` and check if subscriber data is returned. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling or removing the NS Maintenance Mode for WP plugin until a patch or fix is available, restricting access to the `wp-admin/admin-ajax.php` endpoint to authenticated users only via server or application-level controls, and monitoring for any unauthorized access attempts to the subscriber export functionality. Since no fix is currently available, limiting exposure and access is critical. [1]

Useful 0 Not Useful 0