CVE-2026-39464
Server-Side Request Forgery in SeedProd Coming Soon Page
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| seedprod | coming_soon_page | to 6.19.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39464 is a Server Side Request Forgery (SSRF) vulnerability in the WordPress plugin "Coming Soon Page, Under Construction & Maintenance Mode by SeedProd" affecting versions up to and including 6.19.8.
This vulnerability allows a malicious actor with Editor or Developer privileges to make the affected website send arbitrary HTTP requests to attacker-controlled domains.
Exploiting this flaw could enable attackers to access sensitive information from other services running on the same system.
The vulnerability is fixed in version 6.19.9 of the plugin, and users are strongly advised to update to this version or later to mitigate the risk.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with certain privileges (Editor or Developer) to make your website perform arbitrary HTTP requests to attacker-controlled domains.
Such exploitation could lead to unauthorized access to sensitive information from internal services running on the same system as your website.
Although the risk is considered moderate with a CVSS score of 5.5 and is unlikely to be exploited for highly impactful threats, it can still be used in mass-exploit campaigns targeting many websites.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability CVE-2026-39464 is fixed in version 6.19.9 of the SeedProd Coming Soon Page, Under Construction & Maintenance Mode plugin.
Users are strongly advised to update the plugin to version 6.19.9 or later to mitigate the risk of Server Side Request Forgery (SSRF).
Patchstack offers automated updates for vulnerable plugins to facilitate rapid protection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39464 is a Server Side Request Forgery (SSRF) vulnerability that allows attackers to make arbitrary HTTP requests from the affected server, potentially exposing sensitive information from internal services.
While the vulnerability could lead to unauthorized access to sensitive data, the provided information does not explicitly discuss its direct impact on compliance with common standards and regulations such as GDPR or HIPAA.
However, since unauthorized data exposure can violate data protection requirements, organizations using the affected plugin should consider the risk in the context of their regulatory obligations and apply the recommended patch to mitigate potential compliance issues.