Skip to main content

Under Construction Coming Soon Maintenance Mode CVE-2026-34896

| EUVDEUVD-2026-19590 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-07 Patchstack
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 08:45 euvd
EUVD-2026-19590
Analysis Generated
Apr 07, 2026 - 08:45 vuln.today
CVE Published
Apr 07, 2026 - 08:20 nvd
HIGH 7.5

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1.

AnalysisAI

Cross-Site Request Forgery (CSRF) in Analytify's Under Construction, Coming Soon & Maintenance Mode WordPress plugin versions up to 2.1.1 allows remote attackers to perform unauthorized actions on behalf of authenticated administrators through social engineering. With CVSS 7.5 (high severity) and high complexity attack vector requiring user interaction, this vulnerability has no public exploit identified at time of analysis. EPSS data not available, not listed in CISA KEV.

Technical ContextAI

This vulnerability affects the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin (CPE: cpe:2.3:a:analytify:under_construction,_coming_soon_&_maintenance_mode), a site maintenance and coming-soon page management tool. The issue stems from CWE-352 (Cross-Site Request Forgery), a security weakness where the application fails to validate that requests originate from legitimate user actions rather than malicious third-party sites. CSRF vulnerabilities in WordPress plugins typically occur when administrative functions lack proper nonce verification or anti-CSRF tokens. This allows attackers to craft malicious web pages or emails containing forged requests that, when accessed by an authenticated administrator, execute unauthorized actions such as changing plugin settings, modifying site configuration, or performing privileged operations. The plugin's maintenance mode functionality likely includes administrative endpoints that were not adequately protected against CSRF attacks.

RemediationAI

WordPress administrators should immediately upgrade the Analytify Under Construction, Coming Soon & Maintenance Mode plugin to the latest available version beyond 2.1.1. Vendor-released patch information and specific patched version number are not independently confirmed from available data; administrators should check the WordPress plugin repository or Analytify's official channels for the most recent secure release. As an interim mitigation, administrators can implement web application firewall rules to detect and block potential CSRF attacks, enforce strict Content Security Policy headers, and educate administrative users to avoid clicking links from untrusted sources while authenticated to WordPress admin panels. Consider temporarily disabling the plugin if not actively needed for site maintenance operations. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/under-construction-maintenance-mode/vulnerability/wordpress-under-construction-coming-soon-maintenance-mode-plugin-2-1-1-cross-site-request-forgery-csrf-vulnerability for updated remediation guidance and confirmed patched versions.

Share

CVE-2026-34896 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy