CVE-2025-12586
BaseFortify
Publication date: 2025-11-25
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | conditional_maintenance_mode | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the Conditional Maintenance Mode plugin for WordPress, affecting all versions up to and including 1.0.0. It occurs because the plugin lacks nonce validation when toggling the maintenance mode status. As a result, an attacker can trick an administrator into clicking a malicious link, causing the site to be put into or taken out of maintenance mode without the administrator's intent.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can enable or disable the website's maintenance mode without authorization by tricking an administrator into performing an action. This could lead to unexpected downtime or exposure of the site during maintenance periods, potentially disrupting service availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Conditional Maintenance Mode plugin to a version later than 1.0.0 once available. Until then, restrict administrator access to trusted users only and avoid clicking on suspicious links that could trigger the maintenance mode toggle. Additionally, consider disabling the plugin temporarily to prevent exploitation.