In August 2020, NinTechNet, the developers of the WordPress plugin NinjaFirewall, disclosed vulnerabilities that had been in the plugin CMP – Coming Soon & Maintenance Plugin. That plugin had 100,000+ installs at the time and is now up to 200,000+ installs. While NinTechNet stated the vulnerabilities were fixed at the time, while reviewing code in the plugin related to that recently, as at least one of our customers now uses the plugin, we found that there still is a security issue that hasn’t been resolved.

NinTechNet’s post described part of the problem with the plugin this way:

It lacks a capability check and a security nonce, allowing any authenticated user to download the plugin’s subscribers list which includes email addresses and names.

In the version that was supposed to have been fixed in, both of the missing checks were added to the cited function niteo_export_csv() in the file /niteo-cmp.php:

1830
1831
1832
1833
1834
1835
1836

public function niteo_export_csv() {
 
	if ( !current_user_can('publish_pages') ) {
		die('Sorry, but this request is invalid');
	}
 
	check_ajax_referer( 'cmp-coming-soon-ajax-secret', 'security' );

The same checks are also used in other AJAX accessible functions in the plugin. There is a problem with that code, which is hard to come up with a reasonable explanation for.

That code checks for a capability named “publish_pages”, so that would make it accessible to anyone logged in to WordPress as an Editor or an Administrator. Yet only Administrators can access the plugin’s admin pages and that is where those functions are intended to be accessed from.

Looking at the code as of that version (and the latest version), a different capability is specified to access those, “manage_options”:

648

$page = add_menu_page(__('CMP Settings', 'cmp-coming-soon-maintenance'), __('CMP Settings', 'cmp-coming-soon-maintenance'), 'manage_options', 'cmp-settings', array($this, 'cmp_settings_page'), plugins_url('/img/cmp.png', __FILE__));

One of the other functions that is protected in the same way, cmp_theme_update_install() allows uploading arbitrary files to the website, which is something that only Administrators should be able to do.

The nonce check that also occurs would normally restrict Editors from accessing those things, since they would not normally have access to the relevant nonce, but the WordPress documentation for nonces makes it clear that isn’t intended for that purpose:

Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.

We notified the developer of that issue last month, but we have yet to get a response and the issue has yet to be addressed.