Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1.
AnalysisAI
Cross-Site Request Forgery (CSRF) in Analytify's Under Construction, Coming Soon & Maintenance Mode WordPress plugin versions up to 2.1.1 allows remote attackers to perform unauthorized actions on behalf of authenticated administrators through social engineering. With CVSS 7.5 (high severity) and high complexity attack vector requiring user interaction, this vulnerability has no public exploit identified at time of analysis. EPSS data not available, not listed in CISA KEV.
Technical ContextAI
This vulnerability affects the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin (CPE: cpe:2.3:a:analytify:under_construction,_coming_soon_&_maintenance_mode), a site maintenance and coming-soon page management tool. The issue stems from CWE-352 (Cross-Site Request Forgery), a security weakness where the application fails to validate that requests originate from legitimate user actions rather than malicious third-party sites. CSRF vulnerabilities in WordPress plugins typically occur when administrative functions lack proper nonce verification or anti-CSRF tokens. This allows attackers to craft malicious web pages or emails containing forged requests that, when accessed by an authenticated administrator, execute unauthorized actions such as changing plugin settings, modifying site configuration, or performing privileged operations. The plugin's maintenance mode functionality likely includes administrative endpoints that were not adequately protected against CSRF attacks.
RemediationAI
WordPress administrators should immediately upgrade the Analytify Under Construction, Coming Soon & Maintenance Mode plugin to the latest available version beyond 2.1.1. Vendor-released patch information and specific patched version number are not independently confirmed from available data; administrators should check the WordPress plugin repository or Analytify's official channels for the most recent secure release. As an interim mitigation, administrators can implement web application firewall rules to detect and block potential CSRF attacks, enforce strict Content Security Policy headers, and educate administrative users to avoid clicking links from untrusted sources while authenticated to WordPress admin panels. Consider temporarily disabling the plugin if not actively needed for site maintenance operations. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/under-construction-maintenance-mode/vulnerability/wordpress-under-construction-coming-soon-maintenance-mode-plugin-2-1-1-cross-site-request-forgery-csrf-vulnerability for updated remediation guidance and confirmed patched versions.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19590