Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CACepC7XhXqWh45fOYL-4kdZW-h1jQfMb2b10W38RD9euV1j+OA@mail.gmail.com>
Date: Tue, 20 Jan 2026 15:31:45 +0200
From: mohammed gaming 222 <craftmohammed460@...il.com>
To: oss-security@...ts.openwall.com
Subject: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality

Hello OSS-Security Team,

I would like to responsibly disclose a security vulnerability identified in
the WordPress plugin *Under Construction & Maintenance Mode*.
------------------------------
Summary

A security issue was discovered in the *Under Construction & Maintenance
Mode* WordPress plugin related to an exposed debug functionality.
The vulnerability allows unauthorized modification of WordPress options,
which may lead to *Stored Cross-Site Scripting (XSS)* in the WordPress
admin dashboard.
------------------------------
Affected Component

   - *Plugin:* Under Construction & Maintenance Mode
   - *Vendor:* WPBrigade / Loginizer
   - *Affected File:*
   lib/wpb-sdk/views/wpb-debug.php

------------------------------
Vulnerability Details

The affected debug endpoint processes POST requests without proper security
controls:

   - Missing authorization checks (current_user_can)
   - Missing nonce validation
   - Direct use of user-controlled input in update_option()

This allows attackers to arbitrarily modify WordPress options.
------------------------------
Vulnerability Type

   - Missing Authorization
   - Missing Nonce Validation
   - Arbitrary Option Update
   - Stored XSS (Admin Context)

------------------------------
Impact

An attacker may:

   - Modify arbitrary WordPress options
   - Inject persistent JavaScript payloads
   - Trigger Stored XSS in the admin dashboard
   - Manipulate site configuration or administrator sessions

------------------------------
Proof of Concept (Code Snippet)

if ($_SERVER['REQUEST_METHOD'] === 'POST'
    && isset($_POST['set_option_name'])
    && isset($_POST['option_value'])) {

    update_option($_POST['set_option_name'], $_POST['option_value']);
}

------------------------------
Affected Versions

   - Versions prior to vendor fix
   (Exact version pending confirmation)

------------------------------
Disclosure Timeline

   - Vulnerability discovered through manual security testing
   - Advisory published through community channels
   - No active exploitation observed at the time of disclosure

------------------------------

Please let me know if any additional information is required.

Kind regards,
*Mohammed Abdallah*

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.